Windows Analysis Report
INSTALL.EXE

Overview

General Information

Sample name: INSTALL.EXE
Analysis ID: 1542417
MD5: 6c79d0c4d0cd0abed1f772570c4cf2cc
SHA1: c6aa158d7b20519a8638a8192b80f52b86eab4e8
SHA256: 77476e3afe3e43f8da6a97a23432c0e05feec01c11113b7a8f4f1e61e040b59b
Infos:

Detection

Score: 30
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Writes many files with high entropy
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_d3b9a20a-7
Uses 32bit PE files
Source: INSTALL.EXE Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetupFontLicence.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\WDSetupFontLicence.txt Jump to behavior
Source: INSTALL.EXE Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: H:\source\source.YB\79749\Release_preinstall_9\WX\Desktop_x86_32\Release\SetupFTP.pdb source: INSTALL.EXE, 00000001.00000000.1154931373.00000000004C3000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: H:\source\source.PAD\91845\Release_wdobj_261\WX\Desktop_x86_32\Release\wd260obj.pdb' source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: C:\source\source.SAM\58099\Release_WebKit_14_Source\PCS\PCSWebKitDLL\WX\Win32\Release\bin\wd260wk.pdbpR>d source: WDSetup.EXE, 00000005.00000003.1562198990.0000000008BFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.PAD\91845\Release_wdobj_261\WX\Desktop_x86_32\Release\wd260obj.pdb source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: C:\source\source.SAM\58099\Release_WebKit_14_Source\PCS\PCSWebKitDLL\WX\Win32\Release\bin\wd260wk.pdb source: WDSetup.EXE, 00000005.00000003.1562198990.0000000008BFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\79765\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdbe source: WDSetup.EXE, 00000005.00000003.1570498209.0000000008F95000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000000.1645869868.0000000000BB2000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: H:\source\source.MG\91382\Release_wdhf_263\WX\Desktop_x86_32\Release\wd260hf.pdb source: WDSetup.EXE, 00000005.00000002.2021980964.000000006AA1B000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: H:\source\source.GP\79788\Release_WDMetabase_7\wx\Desktop_x86_32\Release\WDMetabase.pdb source: INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\source\source.GF\92082\Release_wdhtml_7\WX\Desktop_x86_32\Release\WD260HTML.pdb source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\73975\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb source: WDSetup.EXE, 00000005.00000003.1271448834.00000000024E3000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000000.1265854653.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: H:\source\source.RR\79738\Release_wdtrs_35\WX\Desktop_x86_32\Release\wd260trs.pdb+ source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\source\source.YB\91875\Release_wdvm_59\wx\Desktop_x86_32\Release\wd260vm.PDB source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2424167458.0000000069CDC000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: L5jsuccessfulmalformedrequestinternalerrortrylatersigrequiredunauthorizedgoodunspecifiedkeyCompromisecACompromiseaffiliationChangedsupersededcessationOfOperationcertificateHoldremoveFromCRL(UNKNOWN)crypto\ocsp\ocsp_vfy.ccompiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Oct 11 16:24:32 2019 UTCplatform: VC-WIN32OPENSSLDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release"ENGINESDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release\lib\engines-1_1"not available%lu:%s:%s:%d:%s source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: H:\source\source.YV\80306\Release_wdautoex_9\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL.EXE, 00000000.00000000.1151554817.00000000006ED000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: H:\source\source.SAM\73975\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb[ source: WDSetup.EXE, 00000005.00000003.1271448834.00000000024E3000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000000.1265854653.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: H:\source\source.SAM\79765\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb source: WDSetup.EXE, 00000005.00000003.1570498209.0000000008F95000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000000.1645869868.0000000000BB2000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: H:\source\source.GP\87613\Release_wdpnt_69\WX\Desktop_x86_32\Release\wd260pnt.pdb source: WDSetup.EXE, 00000005.00000002.2052440671.000000006B4FD000.00000002.00000001.01000000.00000011.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2256481971.000000006830B000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067183000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.GP\91849\Release_wdmdl_37\WX\Desktop_x86_32\Release\wd260mdl.pdb source: WDSetup.EXE, 00000005.00000002.2038961916.000000006B073000.00000002.00000001.01000000.00000012.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2208071294.00000000675AB000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: H:\source\source.YV\80306\Release_wdautoex_9\WX\Desktop_x86_32\Release\WdAutoEx.pdb: source: INSTALL.EXE, 00000000.00000000.1151554817.00000000006ED000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: gsuccessfulmalformedrequestinternalerrortrylatersigrequiredunauthorizedgoodunspecifiedkeyCompromisecACompromiseaffiliationChangedsupersededcessationOfOperationcertificateHoldremoveFromCRL(UNKNOWN)crypto\ocsp\ocsp_vfy.ccompiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Oct 11 16:24:32 2019 UTCplatform: VC-WIN32OPENSSLDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release"ENGINESDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release\lib\engines-1_1"not available%lu:%s:%s:%d:%s source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067183000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.DS\91575\Release_wdstd_81\WX\Desktop_x86_32\Release\wd260std.pdb source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2388162641.00000000697F1000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\source\source.DS\89287\Release_wdcom_89\WX\Desktop_x86_32\Release\wd260com.pdb source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067246000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.AP\91518\Release_wdxml_93\WX\Desktop_x86_32\Release\wd260xml.pdb source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.000000006787F000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: H:\source\source.YB\79749\Release_preinstall_9\WX\Desktop_x86_32\Release\SetupFTP.pdb\ source: INSTALL.EXE, 00000001.00000000.1154931373.00000000004C3000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\source\source.IC\79759\Release_wdpdf_23\WX\Desktop_x86_32\Release\wd260pdf.pdb source: WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2233545225.00000000680DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\source\source.IC\79759\Release_wdpdf_23\WX\Desktop_x86_32\Release\wd260pdf.pdbc source: WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2233545225.00000000680DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: H:\source\source.YV\79805\Release_wdrtf_25\WX\Desktop_x86_32\Release\wd260rtf.pdb source: WDSetup.EXE, 00000005.00000003.1541205718.0000000008BDE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.RR\79738\Release_wdtrs_35\WX\Desktop_x86_32\Release\wd260trs.pdb source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.RR\80476\Release_wduni_27\Build\Desktop_x86_32\Release\wd260UNI.pdb source: WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6741AB59 LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 12_2_6741AB59
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Mailing.gif Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_BrwFirst_V_24_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Add_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Browse_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Apply_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_MailingUS.gif Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-zip-compressedLast-Modified: Thu, 16 Jun 2022 23:23:49 GMTAccept-Ranges: bytesETag: "852f922d881d81:0"Server: Microsoft-IIS/8.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: *Access-Control-Request-Method: *Date: Fri, 25 Oct 2024 20:13:12 GMTContent-Length: 30660388Data Raw: 50 4b 03 04 14 00 00 08 08 00 bb 9a d0 54 e9 06 7a f5 b0 2b 00 00 0c d1 01 00 09 00 00 00 49 4e 53 54 2e 57 58 46 00 ed 5d db 72 1c 37 92 c5 c3 be 78 23 f6 1f f8 e2 f1 4c 84 45 77 57 5f e9 31 3d 41 35 2f a2 cd db f0 22 cd c5 13 0c 8a a4 24 7a 24 92 66 93 b2 e5 89 f9 1e ff 96 df 76 34 1f b1 bb c8 4c a0 00 54 65 02 60 b7 b4 96 23 10 8c 26 59 00 12 c8 4c 24 32 51 07 55 d9 ff fb 3f 7f 55 4f d4 aa 5a 57 7f 53 ff a5 fe 53 1d a8 0b f5 5c 2d eb b2 3f e9 b2 b1 29 bb 52 a7 ba fc 5c dd ea cf b2 6e bd a9 76 d4 9a da 53 2b 58 bf a2 ae f5 cf 4b dd 62 59 b7 dd 54 1b ba e4 81 fe ac aa 6d 6c b9 a9 4b 0f d5 be 2e 39 d4 ff ef ea 12 a0 7a ac fb ba 51 53 4d 75 a5 2e 35 65 57 2d aa 8e fe 99 a8 13 ac df d6 e5 67 ba 8d df 7b 85 35 fb ba f4 5a f7 7e ae 9e e9 b2 2f 74 1f 37 9a 97 1b dd fe b9 fe 7d a2 5e 69 ce 2f 34 c5 b9 ae f9 52 7d 53 f3 e4 68 a1 fe 74 c6 1e 56 d4 9d d6 c3 95 ae fb 41 7f 4e 35 3d 94 92 9c cb f5 18 cf cd ff 7b ba b7 5b f5 42 4b 05 52 c2 68 1d 2c bf 54 5b ba e6 52 b7 bb 43 9d 76 b1 d4 2f fb ad 6e d9 55 bf d3 75 03 46 5f bb 9a bb 33 46 6b 8f 74 fd 14 f9 bb d1 ff 7d 87 3d 75 f5 0f 71 03 12 bf d4 2d 2f ea 5e b7 75 eb e7 9a f3 4b 9c db 1b dd e7 85 fe 6f 59 f7 07 b3 0d 65 0b ba bd 9d 81 53 94 86 38 80 f2 05 f5 56 5f bf d5 7f 5f 23 35 68 f0 0e 35 f7 52 97 02 ed b5 6e 75 a3 ff 4e 6b 9a 33 ad dd 0b fd 3f f1 79 83 3d 9e 6b aa 1b 6c 7d 65 fe bb d3 2d 80 fe 15 b6 83 ff 7e d6 9f 6f eb 7a e0 6e 41 b7 f9 04 e7 e8 d6 8c 34 d5 7f cf 90 e2 1a c7 bb 50 4f 71 16 fd 9e 5f 9a 7e af f4 e7 1c e5 5e f4 34 b1 62 24 b9 c5 5e 60 64 db 2a 4f 27 af 51 2b ff 46 c9 a0 dd 45 ad d9 1b 1c f1 1a 67 24 5f d2 45 fd ff 63 d4 0f 69 f5 5c fd 88 da 3c d1 25 c4 e9 02 ce f6 1d 8e 32 45 0e ae f0 ef 2b 5c 3f 17 da e6 42 1e a7 b5 f6 be c3 5e 6f 0d 7f a0 99 4f 04 b9 7c 0d 1d e0 78 d7 5a 1f b0 9e 0f b5 1f d8 a9 d7 f5 82 fa 5c 7f 56 50 da 7f e3 18 67 28 91 dc b3 af 09 49 03 76 4d 41 1d c8 6d 57 0b ad e5 09 f6 69 e7 88 d6 dc 0d 72 78 85 14 0f 35 cd a9 fa bb a6 bb ae 57 9f 5b 07 76 35 2f ab a1 a9 7b ac cb a1 47 f2 3d b6 b6 f2 34 70 8c eb 05 ac ee 04 e7 64 4d 5f 4d 0c b7 53 c3 c3 a1 ae 7b 5e 7b 02 eb 3f f2 bd e3 86 3a d2 57 ab 46 96 33 33 53 cb ea 1f 7a a4 87 fa 33 d6 9f 81 e6 ea a1 ee ab a3 7f af 61 af ab aa a7 fa da 77 3d c0 fa 25 fd f3 40 d7 40 e9 aa fe fb 50 ff 9d e8 5a f0 eb 2b ea 9f 8c ae 26 fa c7 6a 77 53 cf 07 c8 60 3d 70 38 03 d0 62 07 2d da 7a b6 8b 40 d2 b4 84 eb b8 42 be d3 6d 56 d4 57 8d de 69 26 8e 74 e9 56 50 03 ff 83 0f fd 0c eb d7 d0 03 53 d9 39 f6 76 a9 67 fa 1c 3d 3a d9 c6 43 f4 09 e7 81 0f 8f 73 b6 a8 c8 af 3b dd dc e2 1c 9e 6b 0a 98 0d cb 9b bd 22 3d 5c e0 5a 04 0e b7 f5 e7 a5 f1 1e 17 8a e2 25 Data Ascii: PK
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-zip-compressedLast-Modified: Thu, 16 Jun 2022 23:21:58 GMTAccept-Ranges: bytesETag: "f65b21e0d781d81:0"Server: Microsoft-IIS/8.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: *Access-Control-Request-Method: *Date: Fri, 25 Oct 2024 20:13:36 GMTContent-Length: 8517478Data Raw: 50 4b 03 04 14 00 00 08 08 00 28 8a bd 50 ef ff cc a2 55 01 00 00 54 01 00 00 38 00 00 00 50 65 72 73 6f 6e 6e 65 6c 2f 53 49 47 41 2f 45 78 65 2f 53 49 47 41 2d 41 44 4d 49 4e 49 53 54 52 41 54 49 4f 4e 2f 42 61 73 65 2d 44 6f 6e 6e 65 65 73 2e 70 6e 67 00 eb 0c f0 73 e7 e5 92 e2 62 60 60 e0 f5 f4 70 09 02 d2 02 20 cc c1 06 24 e5 3f ff 4f 04 52 8c c5 41 ee 4e 0c eb ce c9 bc 04 72 58 d2 1d 7d 1d 19 18 36 f6 73 ff 49 64 05 f2 39 0b 3c 22 8b 19 18 f8 0e 83 30 e3 f1 fc 15 29 40 c1 97 9e 2e 8e 21 16 fe c9 0d 8c df bf bd e5 ca 3b 6b ad 75 27 ba 2c af 3c f7 ee 4e f9 b6 bb d1 65 6b cb b3 6f 06 32 4c 6a d7 4a 9d 61 57 bb eb 50 8f a4 f1 33 e7 9d 0e 67 d7 5a 4b df 89 2e ff ab de e2 c8 d6 78 25 59 e2 c1 b5 5d d9 76 66 bc 33 2a ca ed 3d 6c bb 18 13 96 33 fb b2 59 dd 67 5e c2 70 f3 67 41 fe 96 b7 39 e5 b9 f7 5e b3 2d da 28 c5 60 58 fb bb 7a c2 7f c5 7b 8e 87 13 0a 17 d8 04 c8 ca 31 77 1c 6e 3e cc b0 e0 d9 d5 cb cb 7c 7f 1b 17 3f f3 e1 9d c4 cb 90 95 c5 90 55 67 93 7d 6d cd 7f 87 e9 16 13 72 18 3c 84 2f b0 4e 3f 69 c6 f0 aa d5 6f 81 f7 be c6 43 49 09 4c 13 77 b1 dd b8 fe fe 79 41 ee cd 9f 32 b3 93 4a 78 82 da 13 19 38 2a ae e6 4f 64 58 5a bc 60 d1 e7 17 b3 1c 6e ac 2d 3d 5e 18 30 89 6d 25 f3 4a 77 89 03 07 18 18 66 79 f2 e6 1d 2b 7f f1 0d e8 69 06 4f 57 3f 97 75 4e 09 4d 00 50 4b 03 04 14 00 00 08 08 00 0e 8b 6c 4f f2 eb bb 3c 33 14 00 00 30 15 00 00 42 00 00 00 50 65 72 73 6f 6e 6e 65 6c 2f 53 49 47 41 2f 45 78 65 2f 53 49 47 41 2d 41 44 4d 49 4e 49 53 54 52 41 54 49 4f 4e 2f 43 4d 2f 61 76 61 74 61 72 73 2f 43 4d 5f 66 65 6d 6d 65 2d 30 31 2e 70 6e 67 00 7d 58 07 50 53 5b bb 0d 01 42 6f d2 8b 1a 9a 40 28 49 e8 44 7a 51 10 50 7a 51 41 02 04 08 25 09 49 e8 52 22 1a a9 2a 28 bd 08 d2 7b 11 04 14 34 74 50 a4 49 15 90 22 20 28 f5 52 2d c0 c3 7b ff 7b df 9b 37 73 ff 3d 73 e6 ec 6f cf 5a df 5e df b7 d7 9e 33 73 a2 cd ae 5e 66 61 14 60 04 00 00 2c 46 86 fa 16 a7 6f 9b df 0f 3d 08 00 a0 12 31 37 47 9e 06 fc 44 03 3b a2 25 d6 8d 18 80 c4 a3 00 3a ae 58 67 14 d8 c8 07 e9 8e b2 40 21 5d 83 7c 7b 51 ea 00 00 b5 08 da ca 8e 68 67 6a 82 70 c1 fa c8 21 7f 63 e4 02 7d 70 80 df 43 5d 2b 10 87 74 f1 42 11 c1 ce 28 77 34 46 43 64 f3 d5 1b 11 30 da 55 43 c4 56 c9 14 66 8a d3 43 79 a0 0d 83 f1 28 cb e0 ab 56 2e c1 5e 2e 6a ae 22 5a 9a 60 f5 40 c4 69 02 1f 14 11 09 0e f4 f1 c6 10 10 81 1a 22 7f e6 45 9c ce 7f 2f 43 45 c0 7f 42 88 5e 1a 22 7f 89 b2 33 35 03 eb 61 f1 28 b0 92 1c 4c d6 05 a6 0c 07 2b 2b ca c1 15 61 6a 8a 6a 32 60 79 18 1c 06 85 cb 43 61 2a b2 70 18 42 49 05 01 83 83 ff 33 44 4e 77 c3 bb ba 21 2c f4 2f fd 67 af d3 48 43 c4 83 48 c4 21 a0 d0 80 80 00 b9 00 05 39 2c de 1d 0a 57 Data Ascii: PK
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-zip-compressedLast-Modified: Thu, 16 Jun 2022 23:22:01 GMTAccept-Ranges: bytesETag: "7664b0e1d781d81:0"Server: Microsoft-IIS/8.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: *Access-Control-Request-Method: *Date: Fri, 25 Oct 2024 20:13:41 GMTContent-Length: 15613527Data Raw: 50 4b 03 04 14 00 00 08 08 00 ac 7c 31 53 8e cd 93 97 13 30 1a 00 f8 04 2a 00 0f 00 00 00 31 2f 77 64 32 36 30 72 74 66 2e 64 6c 6c 00 ec bd 79 5c 53 47 f7 30 3e f7 12 20 ac f7 aa 20 a8 a8 88 41 71 47 c1 ba e0 02 2e 88 55 31 80 04 15 01 db aa 8d b8 2b 58 6b 5d 82 49 94 70 0d 2e d5 aa b5 b6 a2 d5 d6 a5 d5 aa 75 5f 80 20 88 2b ae b5 6a dd 97 7b 51 5b 1b 15 97 aa f9 9d 33 09 e6 d2 e7 f9 be ef ef fd 7c de 3f df 68 96 3b cb 99 33 33 67 ce 36 67 86 41 c3 17 13 17 42 88 02 de 36 1b 21 7b 89 fd 15 4d fe f7 af 30 86 10 df c6 fb 7d c9 2e 8f 53 4d f6 32 03 4f 35 19 a2 1d 3b 2d 78 f2 d4 49 9f 4e fd 68 42 f0 27 1f 4d 9c 38 29 2b f8 e3 d1 c1 53 b3 27 06 8f 9d 18 dc 67 70 52 f0 84 49 a3 46 b7 f5 f1 f1 54 39 60 bc 9b b7 a0 fb fe 3b d2 c4 ea f7 0d 63 e5 a4 5f e9 f7 a3 49 b3 e9 f7 e3 49 9b e0 5b d5 bb ed c4 c3 f0 2d 0a 8f 27 6d a1 df 95 93 d6 d1 7c 71 d2 21 5a 57 9c 38 08 be d7 84 2e 98 78 80 e6 3f 9a b4 14 be 5b e4 dd 9c a4 a2 df d2 a4 03 f4 bb 2e cd df 7f 67 ce 44 fb f3 43 9a 9e 38 f6 13 2d b6 ff 3f f5 55 dd 97 90 81 8c 2b 39 b4 6a c9 c8 ea b4 9b 84 6d e2 c5 f8 f2 e4 64 13 42 e6 f0 34 ad 64 5c 63 42 f0 e7 cd 26 f8 c8 d3 df 2c 21 6e 8e 3a d5 df 44 d7 81 0e fa 92 81 2d 21 3b 9a a1 95 78 7b 15 fb b7 fd ab e2 ab 50 a2 82 dc 67 2b 42 49 18 26 aa db 93 cb de c4 f9 7a d6 82 bc c4 82 23 db 93 67 b5 18 12 5c a9 22 93 c9 ff fc fa f1 e3 a6 35 e7 16 f0 5c 0c f8 cd 5a 16 4a 46 fe 97 f2 6d b3 46 cf c8 82 ef 09 27 9a d8 11 c2 be 2a 6a 96 09 86 d6 db 4e 1d f5 51 d6 47 84 18 4a 5d ec 7d 3f 06 df 15 4d 6a 94 8b 86 ff 6d ed c5 c8 e2 65 5e 84 6c 0f 25 a4 1b 94 5b 19 fa ef 72 85 6d a7 4e 9b fa 09 fc a6 7d 85 3e 13 5f f8 be 10 f6 9f f0 a6 8e 1e 3f 09 0a 62 df 71 0c 48 6d f8 be fd 1f e5 7a 91 ff f7 fa af af 93 ff 87 2f 8d 90 a5 f2 16 e2 15 29 c2 2c f8 ee a7 88 2a 9a ca 0a 45 02 a7 16 dc d4 09 a2 ad b6 2f d1 97 78 1b 0b b3 e3 84 c1 0a 41 a3 88 3a 9e d5 63 7a 93 a8 b3 d3 3a 0b 3d 1f ba 98 fb 13 5d b7 00 92 ad ec 15 75 76 ea f3 8c 74 4b 46 fa 5e 98 2e 62 89 3a 3e 2d 40 f8 c0 3c 4a 05 f9 be 90 1f 13 75 9c e6 eb 8f d9 e0 33 53 21 16 ef 70 25 c2 40 95 52 5f a2 30 29 2d 5f 3d 24 7c c7 34 86 3f 7f 8e e5 7b d5 66 f9 92 85 84 df 3b 96 f0 5e a9 0c ff f8 3a cb 0f f7 71 e1 93 06 30 7c bc 8a e5 89 a7 a7 27 e3 e9 7c b1 f0 76 f1 fc ff ff 52 c0 db f5 3f 93 dd fe 33 e9 7f 7e b9 c3 5b 09 6f 8f df ac 2c 3f dd 85 e5 fd 72 58 fe 4e 67 96 ff fa 5b 58 53 0a 05 a3 50 28 58 c5 7f 7f b9 f8 f4 66 f8 e3 47 08 9f ec c7 f2 1b f7 10 fe 83 7c 96 ff 33 88 e5 0f 8f 82 ce 31 6e ac 9b 9b 9b 8b 9b fd a5 70 ab f9 72 3d 70 8b f0 37 dc 18 de 66 62 f8 92 af 08 7f a5 2b c3 57 8c 63 f8 b5 fd 08 7f 78 32 cb 6f 18 ce f2 d7 bc 19 fe 0f Data Ascii: PK
Source: global traffic HTTP traffic detected: GET /SIGA-ADMINISTRATION/INSTALL/INSTALL.ZIP HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: PC SOFTHost: www.inf-az.com
Source: global traffic HTTP traffic detected: GET /SIGA-ADMINISTRATION/INSTALL/__WDINST.ZIP HTTP/1.1Cache-Control: no-cacheUser-Agent: WDSetupHost: www.inf-az.com
Source: global traffic HTTP traffic detected: GET /SIGA-ADMINISTRATION/INSTALL/_FRAMEWORK.ZIP HTTP/1.1Cache-Control: no-cacheUser-Agent: WDSetupHost: www.inf-az.com
Source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <body topmargin=1 leftmargin=1 marginwidth=1 marginheight=1>http://www.linkedin.com/shareArticle?mini=true&url=https://plus.google.com/share?url=http://twitter.com/home?status=http://www.facebook.com/sharer.php?u=https://twitter.com/https://www.facebook.com/http://www.delicious.com/save?v=5&noui&jump=close&url=http://www.tumblr.com/share/link?url=https://www.instagram.com/https://www.pinterest.com/https://www.linkedin.com/inhttps://plus.google.com/%27%3d%3f%23 equals www.facebook.com (Facebook)
Source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <body topmargin=1 leftmargin=1 marginwidth=1 marginheight=1>http://www.linkedin.com/shareArticle?mini=true&url=https://plus.google.com/share?url=http://twitter.com/home?status=http://www.facebook.com/sharer.php?u=https://twitter.com/https://www.facebook.com/http://www.delicious.com/save?v=5&noui&jump=close&url=http://www.tumblr.com/share/link?url=https://www.instagram.com/https://www.pinterest.com/https://www.linkedin.com/inhttps://plus.google.com/%27%3d%3f%23 equals www.linkedin.com (Linkedin)
Source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <body topmargin=1 leftmargin=1 marginwidth=1 marginheight=1>http://www.linkedin.com/shareArticle?mini=true&url=https://plus.google.com/share?url=http://twitter.com/home?status=http://www.facebook.com/sharer.php?u=https://twitter.com/https://www.facebook.com/http://www.delicious.com/save?v=5&noui&jump=close&url=http://www.tumblr.com/share/link?url=https://www.instagram.com/https://www.pinterest.com/https://www.linkedin.com/inhttps://plus.google.com/%27%3d%3f%23 equals www.twitter.com (Twitter)
Source: global traffic DNS traffic detected: DNS query: www.inf-az.com
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://TLM/WDANALYTICS_WEB/awws/WDAnalytics.rawwsTLMTLM_Critere/TLMUUDECODEDateLastAaf24B2446A4A3C44
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2140357636.0000000004090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://api.messaging-service.com/sms/1/text/single
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://daneden.me/animate
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdwsa:FaultTowsseSecu
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067870000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://github.com/iamamused/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://github.com/tapmodo/Jcrop
Source: WDSetup.EXE, 00000005.00000003.1702954693.000000000731B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://he.org/licenses/
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067856000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://https://.xsdHTTP
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067856000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://https://:/?_.#&;=%20
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://jqueryui.com
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://jqueryui.com/themeroller/?scope=&folderName=base&cornerRadiusShadow=8px&offsetLeftShadow=0px&
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://jsperf.com/alternative-isfunction-implementations
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://localdocument/%s/mail.htmlimage/svg
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://maps.google.com/maps/api/js?
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://maps.google.com/maps/api/js?Mozilla/5.0
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://maps.google.com/maps/api/js?v=3
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://maps.google.com/maps/api/js?v=3&libraries=geometry
Source: WDSetup.EXE, 00000005.00000003.1811487937.0000000006193000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1853871313.00000000061AE000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1320821460.00000000040B5000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1848242228.00000000061AE000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1853124520.00000000061AE000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1864421795.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1338954207.0000000006171000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a
Source: WDSetup.EXE, 00000005.00000002.1935386751.0000000004055000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1852365093.0000000004050000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1320821460.00000000040C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe
Source: WDSetup.EXE, 00000005.00000003.1320821460.00000000040B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.aobe
Source: WDSetup.EXE, 00000005.00000003.1864421795.00000000040AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.aobe/xap
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://opensource.org/licenses/MIT
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://ourcodeworld.com/articles/read/491/how-to-retrieve-images-from-the-clipboard-with-javascript-
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://scap.nist.gov/specifications/tmsad/#resource-1.0
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.000000006784C000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/application/soap
Source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.000000006722C000.00000002.00000001.01000000.00000021.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/urn:dummy
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.00000000671FB000.00000002.00000001.01000000.00000021.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067841000.00000002.00000001.01000000.0000001F.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.000000006784C000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.0000000067856000.00000002.00000001.01000000.0000001F.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2388162641.00000000697F1000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestamphttp://timestamp.globalsign.com/scripts/timst
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://stackoverflow.com/questions/11214651/google-maps-api-v3-gray-areas
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://svn.webkit.org/repository/webkit/trunk/Source/WebCore/page/animation/AnimationBase.cpp
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://t.symcb.com/ThawtePCA-G3.crl0
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://t.symcd.com0
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2388162641.00000000697F1000.00000002.00000001.01000000.0000001A.sdmp String found in binary or memory: http://timestamp.globalsign.com/tsa/r6advanced1%02xMssign32.dllSignerFreeSignerContextSignerSignExSi
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://to.symcb.com/to.crl0
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://to.symcb.com/to.crt0
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://to.symcd.com0&
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2233545225.00000000680DD000.00000002.00000001.01000000.0000001E.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.aleksey.com/xmlsec/xmlsec_2002
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.aleksey.com/xmlsec/xmlsec_2002#AESKeyValue
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.aleksey.com/xmlsec/xmlsec_2002#DESKeyValue
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.aleksey.com/xmlsec/xmlsec_2002#HMACKeyValue
Source: INSTALL.EXE, 00000001.00000003.1262803890.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1262727763.0000000001604000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: INSTALL.EXE, 00000001.00000003.1262727763.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1262727763.0000000001604000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1262409192.00000000015FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INSTALL.EXE, 00000001.00000003.1262409192.00000000015FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.ascc.net/xml/schematron
Source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.ascc.net/xml/schematronhttp://purl.oclc.org/dsdl/schematronallocating
Source: INSTALL.EXE, 00000001.00000003.1262409192.00000000015FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: INSTALL.EXE, 00000001.00000003.1263557777.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1915174639.00000000015B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/INSTALL.ZIP
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000003.1660696891.0000000001156000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2110360187.0000000001122000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/WDUPDATE.NET
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000003.1660696891.0000000001156000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/WDUPDATE.NETNoV
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2110360187.0000000001122000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/WDUPDATE.NETP
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000003.1702954693.000000000731B000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000002.1967418778.00000000073F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/_FRAMEWORK.ZIP
Source: WDSetup.EXE, 00000005.00000003.1702954693.000000000731B000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1751999551.000000000726C000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000002.1963048059.00000000072C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/_UPDATE.ZIP
Source: WDSetup.EXE, 00000005.00000003.1751999551.000000000726C000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000002.1963048059.00000000072C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/_UPDATE.ZIPX
Source: WDSetup.EXE, WDSetup.EXE, 00000005.00000002.1963048059.00000000072BC000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1751999551.000000000726C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/__WDINST.ZIP
Source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.linkedin.com/shareArticle?mini=true&url=https://plus.google.com/share?url=http://twitter.
Source: WDSetup.EXE, 00000005.00000003.1279761130.0000000000A82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcsoft.fr
Source: WDSetup.EXE, 00000005.00000003.1751999551.000000000726C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcsoft.fr58
Source: WDSetup.EXE, 00000005.00000002.1898270914.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcsoft.frn
Source: WDSetup.EXE, 00000005.00000003.1320821460.00000000040C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.w3.
Source: WDSetup.EXE, 00000005.00000003.1864421795.00000000040AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwww3.1999
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2424167458.0000000069CDC000.00000002.00000001.01000000.00000019.sdmp String found in binary or memory: https:///WDANALYTICSCOLLECT_WEB/Collect.rawp?MUI=
Source: WDSetup.EXE, 00000005.00000003.1807500114.0000000006AEB000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1876798629.0000000006AEB000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1770634575.0000000006AE2000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1332928815.0000000006AE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://admin.pcscloud.net/8
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.jquery.com/ticket/13393
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.jquery.com/ticket/4833
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://codepen.io/teeganlincoln/pen/mjjzeE)
Source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Control_flow_and_error_handling
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://developer.mozilla.org/en/DOM/window.scrollX)
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://developers.google.com/maps/documentation/javascript/tutorial?hl=fr
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://github.com/nickpettit/glide
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://github.com/whatwg/html/issues/2369
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/#nonce-attributes
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: WDSetup.EXE, 00000005.00000002.2021980964.000000006AA1B000.00000002.00000001.01000000.00000015.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2371896959.000000006959E000.00000002.00000001.01000000.0000001B.sdmp String found in binary or memory: https://http://?wsdl/WDSOAPDB_WEB/WDSoapDB.rawwsErrorErrorCodeErrorMsgrequestDetailedNoSysTablelistS
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://i.stack.imgur.com/WSmLn.png?s=32&g=1
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://jquery.com/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://jquery.org/license
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://js.foundation/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://maps.googleapis.com/maps/api/geocode/json?address=
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://maps.googleapis.com/maps/api/geocode/json?address=1600
Source: WDSetup.EXE, 00000005.00000003.1291306325.0000000003031000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000002.1898270914.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pcscloud.net/FR/
Source: WDSetup.EXE, 00000005.00000002.1898270914.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pcscloud.net/FR/cloud_service.awp
Source: WDSetup.EXE, 00000005.00000002.1898270914.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pcscloud.net/FR/cloud_service_plateforme.awp
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-48
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-54
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-57
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-59
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-61
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-64
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://promisesaplus.com/#point-75
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://sizzlejs.com/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://stackoverflow.com/questions/5608758/get-delete-event-of-edited-element
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2302645356.0000000068A33000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
Source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/analytics
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: https://www.google.fr/search?q=%shttps://www.google.com/search?q=%shttp://help.windev.com/aaf.awp?t=
Source: WDSetup.EXE, 00000005.00000003.1288683686.0000000003036000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pcsoft.fr
Source: WDSetup.EXE, 00000005.00000003.1770634575.0000000006AE2000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1332928815.0000000006AE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pcsoft.fr/cloud/F
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2174256737.00000000063F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pcsoft.fr/windev/FAA.html$
Source: WDSetup.EXE, 00000005.00000002.1898270914.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pcsoft.frM
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/cps0/
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/repository04
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1252302124.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1251583305.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1243276957.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1255414437.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1244887940.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1253218232.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259080486.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1241688714.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1259928582.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1246787258.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1257796904.00000000015FD000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1381367797.0000000007F05000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1385542176.0000000007F06000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1547060266.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/repository0W

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\INSTALL[1].zip entropy: 7.99897257427 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\INSTALL.ZIP entropy: 7.99897257427 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\ServeursWeb.wdk entropy: 7.99437388801 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\_UPDATE[1].zip entropy: 7.99950640864 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\_UPDATE.ZIP entropy: 7.99950640864 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\_FRAMEWORK.ZIP entropy: 7.99932122592 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\_UPDATE.ZIP entropy: 7.99950640864 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\__WDINST.ZIP entropy: 7.99958050958 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\INSTALL.ZIP entropy: 7.99897257427 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\ServeursWeb.wdk entropy: 7.99437388801 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\__WDINST[1].zip entropy: 7.99958050958 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\__WDINST.ZIP entropy: 7.99958050958 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\PAGE_CENTRE.awl entropy: 7.99083481773 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\CM\pdf\CM_MyZI S jours.pdf entropy: 7.99793795771 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\CM\pdf\CM_MyZi Thailande.pdf entropy: 7.99886121836 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\_FRAMEWORK[1].zip entropy: 7.99932122592 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\_FRAMEWORK.ZIP entropy: 7.99932122592 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A638BEB 5_2_6A638BEB
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A688B90 5_2_6A688B90
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A70C887 5_2_6A70C887
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A6A494F 5_2_6A6A494F
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A70A9FD 5_2_6A70A9FD
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A66CEB2 5_2_6A66CEB2
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A6F4E90 5_2_6A6F4E90
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A674F54 5_2_6A674F54
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A6F4C61 5_2_6A6F4C61
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A67AC5D 5_2_6A67AC5D
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6AF28A80 5_2_6AF28A80
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67117200 12_2_67117200
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_671151C5 12_2_671151C5
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6744240B 12_2_6744240B
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6741A360 12_2_6741A360
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_674603E6 12_2_674603E6
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6754CE08 12_2_6754CE08
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67538C00 12_2_67538C00
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6754CCE4 12_2_6754CCE4
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67418A80 12_2_67418A80
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_675357D0 12_2_675357D0
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6742F52F 12_2_6742F52F
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_675233B6 12_2_675233B6
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6744FD2D 12_2_6744FD2D
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67421C97 12_2_67421C97
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6742DCB0 12_2_6742DCB0
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67445BB7 12_2_67445BB7
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6742195D 12_2_6742195D
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_674218F6 12_2_674218F6
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6781E649 12_2_6781E649
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6778230A 12_2_6778230A
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: String function: 6754F63D appears 52 times
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: String function: 67824F78 appears 73 times
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: String function: 6754F609 appears 1073 times
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: String function: 6A6CFE07 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: String function: 6A714F78 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: String function: 6B05F609 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: String function: 6A67D318 appears 74 times
PE file contains executable resources (Code or Archives)
Source: wd260xml.dll.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wd260zip.dll.1.dr Static PE information: Resource name: RT_WDAUTOEX type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: wd260pdf.dll.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wd260xml.dll.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wd260rtf.dll.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wd260pdf.dll0.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wd260zip.dll.5.dr Static PE information: Resource name: RT_WDAUTOEX type: Zip archive data, at least v2.0 to extract, compression method=deflate
Sample file is different than original file name gathered from version info
Source: INSTALL.EXE, 00000000.00000000.1151592503.0000000000702000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWDAutoEx.EXE2 vs INSTALL.EXE
Source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewd260trs.dllF vs INSTALL.EXE
Source: INSTALL.EXE, 00000001.00000003.1244349092.00000000015FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewd260mat.dllF vs INSTALL.EXE
Source: INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWDMetaBase.dll2 vs INSTALL.EXE
Source: INSTALL.EXE, 00000001.00000003.1250983381.00000000015FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewd260ole.dllF vs INSTALL.EXE
Source: INSTALL.EXE, 00000001.00000003.1260554128.00000000015FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWDMetaBase.dll2 vs INSTALL.EXE
Uses 32bit PE files
Source: INSTALL.EXE Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus30.rans.winEXE@7/278@1/2
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\INSTALL[1].zip Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Mutant created: NULL
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Mutant created: \Sessions\1\BaseNamedObjects\SIGA-ADMINISTRATION.EXE
Source: C:\Users\user\Desktop\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD_171A.tmp Jump to behavior
Source: INSTALL.EXE Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INSTALL.EXE File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WDSetup.EXE String found in binary or memory: /SIGA-ADMINISTRATION/INSTALL/_UPDATE.ZIP
Source: WDSetup.EXE String found in binary or memory: /SIGA-ADMINISTRATION/INSTALL/_FRAMEWORK.ZIP
Source: WDSetup.EXE String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/_FRAMEWORK.ZIP
Source: WDSetup.EXE String found in binary or memory: /SIGA-ADMINISTRATION/INSTALL/__WDINST.ZIP
Source: WDSetup.EXE String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/_UPDATE.ZIP
Source: WDSetup.EXE String found in binary or memory: IGA-ADMINISTRATION/INSTALL/__WDINST.ZIP>
Source: WDSetup.EXE String found in binary or memory: STRATION/INSTALL/__WDINST.ZIP
Source: WDSetup.EXE String found in binary or memory: http://www.inf-az.com/SIGA-ADMINISTRATION/INSTALL/__WDINST.ZIP
Source: WDSetup.EXE String found in binary or memory: RATION/INSTALL
Source: WDSetup.EXE String found in binary or memory: /INSTALLATIONAPP /APP=
Source: WDSetup.EXE String found in binary or memory: SIGA-ADMINISTRATION/INSTALL
Source: WDSetup.EXE String found in binary or memory: NISTRATION/INSTALL/
Source: WDSetup.EXE String found in binary or memory: /INSTALL/__WDINST.ZIP
Source: WDSetup.EXE String found in binary or memory: MINISTRATION/INSTALL/__WDINST.ZIP
Source: WDSetup.EXE String found in binary or memory: t Based Servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~x86~~6.0.6000.16386\Updates
Source: WDSetup.EXE String found in binary or memory: http://www.w3.org/2005/08/addressing
Source: SIGA-ADMINISTRATION.exe String found in binary or memory: http://www.w3.org/2006/02/addressing/wsdl
Source: SIGA-ADMINISTRATION.exe String found in binary or memory: http://www.w3.org/2005/08/addressing
Source: C:\Users\user\Desktop\INSTALL.EXE File read: C:\Users\user\Desktop\INSTALL.EXE Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INSTALL.EXE "C:\Users\user\Desktop\INSTALL.EXE"
Source: C:\Users\user\Desktop\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE"
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE "C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE" /REP="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\" /PID_PARENT=6388 /VERSION_PARENT=26 /COMPOSITE=0 /WXF="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\INST.WXF" "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE"
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process created: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe "C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe"
Source: C:\Users\user\Desktop\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE "C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE" /REP="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\" /PID_PARENT=6388 /VERSION_PARENT=26 /COMPOSITE=0 /WXF="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\INST.WXF" "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process created: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe "C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: inked.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE File written: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.INI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Window detected: Number of UI elements: 253
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Window detected: Number of UI elements: 253
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Window detected: Number of UI elements: 28
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: INSTALL.EXE Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: INSTALL.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: H:\source\source.YB\79749\Release_preinstall_9\WX\Desktop_x86_32\Release\SetupFTP.pdb source: INSTALL.EXE, 00000001.00000000.1154931373.00000000004C3000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: H:\source\source.PAD\91845\Release_wdobj_261\WX\Desktop_x86_32\Release\wd260obj.pdb' source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: C:\source\source.SAM\58099\Release_WebKit_14_Source\PCS\PCSWebKitDLL\WX\Win32\Release\bin\wd260wk.pdbpR>d source: WDSetup.EXE, 00000005.00000003.1562198990.0000000008BFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.PAD\91845\Release_wdobj_261\WX\Desktop_x86_32\Release\wd260obj.pdb source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: C:\source\source.SAM\58099\Release_WebKit_14_Source\PCS\PCSWebKitDLL\WX\Win32\Release\bin\wd260wk.pdb source: WDSetup.EXE, 00000005.00000003.1562198990.0000000008BFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\79765\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdbe source: WDSetup.EXE, 00000005.00000003.1570498209.0000000008F95000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000000.1645869868.0000000000BB2000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: H:\source\source.MG\91382\Release_wdhf_263\WX\Desktop_x86_32\Release\wd260hf.pdb source: WDSetup.EXE, 00000005.00000002.2021980964.000000006AA1B000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: H:\source\source.GP\79788\Release_WDMetabase_7\wx\Desktop_x86_32\Release\WDMetabase.pdb source: INSTALL.EXE, 00000001.00000003.1260444365.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\source\source.GF\92082\Release_wdhtml_7\WX\Desktop_x86_32\Release\WD260HTML.pdb source: WDSetup.EXE, 00000005.00000003.1552176753.0000000008BD9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\73975\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb source: WDSetup.EXE, 00000005.00000003.1271448834.00000000024E3000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000000.1265854653.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: H:\source\source.RR\79738\Release_wdtrs_35\WX\Desktop_x86_32\Release\wd260trs.pdb+ source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\source\source.YB\91875\Release_wdvm_59\wx\Desktop_x86_32\Release\wd260vm.PDB source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2424167458.0000000069CDC000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: L5jsuccessfulmalformedrequestinternalerrortrylatersigrequiredunauthorizedgoodunspecifiedkeyCompromisecACompromiseaffiliationChangedsupersededcessationOfOperationcertificateHoldremoveFromCRL(UNKNOWN)crypto\ocsp\ocsp_vfy.ccompiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Oct 11 16:24:32 2019 UTCplatform: VC-WIN32OPENSSLDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release"ENGINESDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release\lib\engines-1_1"not available%lu:%s:%s:%d:%s source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: H:\source\source.YV\80306\Release_wdautoex_9\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL.EXE, 00000000.00000000.1151554817.00000000006ED000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: H:\source\source.SAM\73975\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb[ source: WDSetup.EXE, 00000005.00000003.1271448834.00000000024E3000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000000.1265854653.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: H:\source\source.SAM\79765\Release_wdexe_75\WX\Desktop_x86_32\Release\WDExe.pdb source: WDSetup.EXE, 00000005.00000003.1570498209.0000000008F95000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000000.1645869868.0000000000BB2000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: H:\source\source.GP\87613\Release_wdpnt_69\WX\Desktop_x86_32\Release\wd260pnt.pdb source: WDSetup.EXE, 00000005.00000002.2052440671.000000006B4FD000.00000002.00000001.01000000.00000011.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2256481971.000000006830B000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067183000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.GP\91849\Release_wdmdl_37\WX\Desktop_x86_32\Release\wd260mdl.pdb source: WDSetup.EXE, 00000005.00000002.2038961916.000000006B073000.00000002.00000001.01000000.00000012.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2208071294.00000000675AB000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: H:\source\source.YV\80306\Release_wdautoex_9\WX\Desktop_x86_32\Release\WdAutoEx.pdb: source: INSTALL.EXE, 00000000.00000000.1151554817.00000000006ED000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: gsuccessfulmalformedrequestinternalerrortrylatersigrequiredunauthorizedgoodunspecifiedkeyCompromisecACompromiseaffiliationChangedsupersededcessationOfOperationcertificateHoldremoveFromCRL(UNKNOWN)crypto\ocsp\ocsp_vfy.ccompiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Oct 11 16:24:32 2019 UTCplatform: VC-WIN32OPENSSLDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release"ENGINESDIR: "M:\Source.WX\WDCom\LibExternes\openssl\WX\WIN32\release\lib\engines-1_1"not available%lu:%s:%s:%d:%s source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067183000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.DS\91575\Release_wdstd_81\WX\Desktop_x86_32\Release\wd260std.pdb source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2388162641.00000000697F1000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\source\source.DS\89287\Release_wdcom_89\WX\Desktop_x86_32\Release\wd260com.pdb source: WDSetup.EXE, 00000005.00000002.1986488473.000000006A322000.00000002.00000001.01000000.00000017.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2195204845.0000000067246000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: H:\source\source.AP\91518\Release_wdxml_93\WX\Desktop_x86_32\Release\wd260xml.pdb source: WDSetup.EXE, 00000005.00000002.2004416457.000000006A71D000.00000002.00000001.01000000.00000016.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2217506054.000000006787F000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: H:\source\source.YB\79749\Release_preinstall_9\WX\Desktop_x86_32\Release\SetupFTP.pdb\ source: INSTALL.EXE, 00000001.00000000.1154931373.00000000004C3000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\source\source.IC\79759\Release_wdpdf_23\WX\Desktop_x86_32\Release\wd260pdf.pdb source: WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2233545225.00000000680DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\source\source.IC\79759\Release_wdpdf_23\WX\Desktop_x86_32\Release\wd260pdf.pdbc source: WDSetup.EXE, 00000005.00000003.1554487092.0000000008BE6000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000002.2233545225.00000000680DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: H:\source\source.YV\79805\Release_wdrtf_25\WX\Desktop_x86_32\Release\wd260rtf.pdb source: WDSetup.EXE, 00000005.00000003.1541205718.0000000008BDE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.RR\79738\Release_wdtrs_35\WX\Desktop_x86_32\Release\wd260trs.pdb source: INSTALL.EXE, 00000001.00000003.1254506738.00000000015FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.RR\80476\Release_wduni_27\Build\Desktop_x86_32\Release\wd260UNI.pdb source: WDSetup.EXE, 00000005.00000003.1393687929.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: INSTALL.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INSTALL.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INSTALL.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INSTALL.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INSTALL.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6741AB59 LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 12_2_6741AB59
PE file contains an invalid checksum
Source: INSTALL.EXE.0.dr Static PE information: real checksum: 0x0 should be: 0x73f68
Source: INSTALL.EXE Static PE information: real checksum: 0x631d0 should be: 0x9b917
Source: WDSetup.EXE.1.dr Static PE information: real checksum: 0x0 should be: 0x411e5a
PE file contains sections with non-standard names
Source: wd260obj.dll.1.dr Static PE information: section name: _RDATA
Source: wd260pnt.dll.1.dr Static PE information: section name: monseg
Source: wd260wk.dll.5.dr Static PE information: section name: .unwante
Source: wd260obj.dll.5.dr Static PE information: section name: _RDATA
Source: wd260pnt.dll.5.dr Static PE information: section name: monseg
Source: wd260wk.dll0.5.dr Static PE information: section name: .unwante
Source: wd260obj.dll0.5.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_05E9ADA9 push edi; iretd 5_3_05E9AE93
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_05E9ADA9 push edi; iretd 5_3_05E9AE93
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_0732960D push es; iretd 5_3_0732969B
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329C51 push es; iretd 5_3_07329C52
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329655 push es; iretd 5_3_0732969B
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329955 pushad ; iretd 5_3_0732996B
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_0732625A push eax; ret 5_3_07326289
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329DBD push es; iretd 5_3_07329DEA
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329899 push esp; iretd 5_3_0732990B
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_07329987 push es; iretw 5_3_0732999A
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_0732628A push esp; ret 5_3_073262B9
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_0731B6F9 push es; ret 5_3_0731B6FA
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_073263EA push 8469EC80h; ret 5_3_07326449
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_3_0716E282 push esi; iretd 5_3_0716E283
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A714F78 push eax; ret 5_2_6A714F96
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_66FB2D96 push ecx; ret 12_2_66FB2DA9
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67434142 push 8B078BFFh; iretd 12_2_6743414E
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67411618 push edi; ret 12_2_6741161C
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6754F5E3 push ecx; ret 12_2_6754F5F6
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67533036 push ecx; ret 12_2_67533049
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6754FC77 push ecx; ret 12_2_6754FC8C
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67449B7B pushad ; ret 12_2_67449B8C
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\WDMetabase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260html.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDRelanceur.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260std.dll Jump to dropped file
Source: C:\Users\user\Desktop\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260rtf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260prn.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260rtf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\B9C8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260pic.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260wk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260xls.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260prn.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260ole.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260html.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260cpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\WDSetup.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260action.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260xls.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260cpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260barc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260grf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260wk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260pdf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260grf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\WDRelanceur.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260barc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260trs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260trs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260std.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260std.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260pic.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260ole.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260action.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDMetabase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260pdf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetupFontLicence.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\Program Files (x86)\SIGA\INSTALL\WDSetupFontLicence.txt Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Syst me Int gr des Gestion des Abonn s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Syst me Int gr des Gestion des Abonn s\Syst me Int gr de Gestion des Abonn s - Module d'administration.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67416B35 bInitWLCalcFromVM,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_67416B35
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\WDMetabase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260html.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDRelanceur.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260std.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260rtf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260prn.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260rtf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260pic.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260wk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260xls.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260prn.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260html.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260ole.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260cpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260action.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260xls.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260cpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260sql.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260grf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260barc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260wk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260pdf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260hf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260grf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\WDRelanceur.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260barc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260trs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260uni.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260trs.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260std.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260std.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260pic.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260com.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260xml.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260vm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260ole.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260action.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\INSTALL\wd260obj.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260mat.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Program Files (x86)\SIGA\wd260mdl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDMetabase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\wd260pnt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WDS6B85.tmp\_FRAMEWORK\1\wd260pdf.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE API coverage: 3.6 %
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe API coverage: 1.1 %
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6741AB59 LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 12_2_6741AB59
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Mailing.gif Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_BrwFirst_V_24_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Add_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Browse_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_Pict_Apply_16_5.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE File opened: C:\Users\user\AppData\Local\Temp\GAB4F22.tmp\GenFlat_MailingUS.gif Jump to behavior
Source: WDSetup.EXE, 00000005.00000003.1541205718.0000000008BDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: QEMU VM
Source: INSTALL.EXE, 00000001.00000002.1926356024.0000000001599000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}L
Source: WDSetup.EXE, 00000005.00000003.1541205718.0000000008BDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 14.1.1.31720%lld days %lld hours %lld minutesVMWareMS Virtual PCParallels VMVirtual BOX VMQEMU VMXEN VMKVMHYPERV VMVirtual Machine127.0.0.1n/a in embedded,
Source: INSTALL.EXE, 00000001.00000002.1926356024.0000000001599000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: INSTALL.EXE, 00000000.00000003.1155303130.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WDSetup.EXE, 00000005.00000003.1680983747.0000000007425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: INSTALL.EXE, 00000001.00000003.1915174639.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1263557777.00000000015DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWkUZ
Source: INSTALL.EXE, 00000001.00000003.1263557777.00000000015DD000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1915174639.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1915174639.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, WDSetup.EXE, 00000005.00000003.1780375231.000000000600B000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000002.1948755458.000000000600C000.00000004.00000020.00020000.00000000.sdmp, WDSetup.EXE, 00000005.00000003.1702954693.0000000007418000.00000004.00000020.00020000.00000000.sdmp, SIGA-ADMINISTRATION.exe, 0000000C.00000003.1660696891.000000000114E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000003.1660696891.000000000114E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWf
Source: WDSetup.EXE, 00000005.00000003.1541205718.0000000008BDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMWare
Source: WDSetup.EXE, 00000005.00000003.1815272933.0000000006077000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: WDSetup.EXE, 00000005.00000003.1772168839.000000000606D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: WDSetup.EXE, 00000005.00000003.1680983747.0000000007425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: '00100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: WDSetup.EXE, 00000005.00000003.1772168839.000000000606D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0
Source: WDSetup.EXE, 00000005.00000003.1772168839.000000000606D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-F
Source: WDSetup.EXE, 00000005.00000002.1968279181.00000000074C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: WDSetup.EXE, 00000005.00000003.1680983747.0000000007425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WDSetup.EXE, 00000005.00000003.1800325919.000000000607C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
Source: WDSetup.EXE, 00000005.00000002.1968051639.00000000074A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WDSetup.EXE, 00000005.00000003.1680983747.0000000007425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6711E54C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6711E54C
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6741AB59 LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 12_2_6741AB59
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A70295D mov eax, dword ptr fs:[00000030h] 5_2_6A70295D
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6712AF63 mov eax, dword ptr fs:[00000030h] 12_2_6712AF63
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_675424EA mov eax, dword ptr fs:[00000030h] 12_2_675424EA
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_675481D7 mov eax, dword ptr fs:[00000030h] 12_2_675481D7
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_66FB2ED6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_66FB2ED6
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6711E54C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6711E54C
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6753262B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_6753262B
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_675331EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_675331EE
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_67541D63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_67541D63
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE "C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE" /REP="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\" /PID_PARENT=6388 /VERSION_PARENT=26 /COMPOSITE=0 /WXF="C:\Users\user\AppData\Local\Temp\WD1C79.tmp\INST.WXF" "C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Process created: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe "C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE "c:\users\user\appdata\local\temp\wd1c79.tmp\wdsetup.exe" /rep="c:\users\user\appdata\local\temp\wd1c79.tmp\" /pid_parent=6388 /version_parent=26 /composite=0 /wxf="c:\users\user\appdata\local\temp\wd1c79.tmp\inst.wxf" "c:\users\user\appdata\local\temp\wd_171a.tmp\install.exe"
Source: C:\Users\user\AppData\Local\Temp\WD_171A.tmp\INSTALL.EXE Process created: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE "c:\users\user\appdata\local\temp\wd1c79.tmp\wdsetup.exe" /rep="c:\users\user\appdata\local\temp\wd1c79.tmp\" /pid_parent=6388 /version_parent=26 /composite=0 /wxf="c:\users\user\appdata\local\temp\wd1c79.tmp\inst.wxf" "c:\users\user\appdata\local\temp\wd_171a.tmp\install.exe" Jump to behavior
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2388162641.00000000697F1000.00000002.00000001.01000000.0000001A.sdmp Binary or memory string: sichm.chmmk:@MSITStore:%s::/%sPROGMAN[CreateGroup(%s)][DeleteItem(%s)][AddItem(%s,"%s")][AddItem("%s","%s")]WD26*$zri49=+;;znjp911]SALFRAMESVCLOCAL"%s" %sNOGUIDWDExecSvcWDExecSVC_%sWDEXECSVC\\%s\ADMIN$\%s.exe%%SystemRoot%%\%s.exe --SERVICE\\%s\pipe\%sLAD#"ti
Source: SIGA-ADMINISTRATION.exe, 0000000C.00000002.2287778764.0000000068801000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: UpdateLayeredWindowShcore.dllGetDpiForMonitorGetAncestorMonitorFromPointBaseBarSideBar_AppBarWindowShell_TrayWndShell_SecondaryTrayWndFenAssertReconnexionALIAS_%s,%d,%dSTATICGDSMENU_WinDevHelpEnableNonClientDpiSuserng_SupportFenInterne_MaximiseUser32FI_MenuHWinDevHelpRestoreASSISTCREATIONTRTWINDEVGRAPHEAUTOTABLECUFTOOLSEDITCODE%s.B%02dAPERCUBTN_MCU.BMPWD_PATIENCEGWD_VISUALISATEURPATIENCE[%Project Name%] *
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: EnumSystemLocalesW, 5_2_6A712876
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: EnumSystemLocalesW, 5_2_6A7128C1
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: EnumSystemLocalesW, 5_2_6A71295C
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_6A712F36
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 12_2_678225FE
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A5DEECE GetSystemTime, 5_2_6A5DEECE
Source: C:\Program Files (x86)\SIGA\SIGA-ADMINISTRATION.exe Code function: 12_2_6742927E GetTimeZoneInformation,SystemTimeToFileTime,FileTimeToSystemTime, 12_2_6742927E
Source: C:\Users\user\AppData\Local\Temp\WD1C79.tmp\WDSetup.EXE Code function: 5_2_6A656FF5 GetVersionExW, 5_2_6A656FF5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542417 Sample: INSTALL.EXE Startdate: 25/10/2024 Architecture: WINDOWS Score: 30 43 www.inf-az.com 2->43 8 INSTALL.EXE 5 2->8         started        process3 file4 31 C:\Users\user\AppData\Local\...\INSTALL.EXE, PE32 8->31 dropped 11 INSTALL.EXE 40 8->11         started        process5 dnsIp6 45 www.inf-az.com 23.161.96.139, 49696, 80 COGENT-174US United States 11->45 33 C:\Users\user\AppData\Local\...\WDSetup.EXE, PE32 11->33 dropped 35 C:\Users\user\AppData\...\ServeursWeb.wdk, data 11->35 dropped 37 C:\Users\user\AppData\Local\...\INSTALL.ZIP, Zip 11->37 dropped 39 16 other files (1 malicious) 11->39 dropped 49 Writes many files with high entropy 11->49 16 WDSetup.EXE 102 289 11->16         started        file7 signatures8 process9 dnsIp10 41 127.0.0.1 unknown unknown 16->41 23 C:\Users\user\AppData\Local\...\__WDINST.ZIP, Zip 16->23 dropped 25 C:\Users\user\AppData\Local\...\_UPDATE.ZIP, Zip 16->25 dropped 27 C:\Users\user\AppData\...\_FRAMEWORK.ZIP, Zip 16->27 dropped 29 65 other files (11 malicious) 16->29 dropped 47 Writes many files with high entropy 16->47 21 SIGA-ADMINISTRATION.exe 3 15 16->21         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.161.96.139
 www.inf-az.com United States
174 COGENT-174US false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.inf-az.com 23.161.96.139 true