Windows Analysis Report
Sage.Eb.eIDSign.Windows.Installer.exe

Overview

General Information

Sample name: Sage.Eb.eIDSign.Windows.Installer.exe
Analysis ID: 1560043
MD5: cdaa0b967941fffe97b0d508e696b938
SHA1: 3338c896c9416dc683d94696f6861ab28b0bb26f
SHA256: e01aec5472b010bdcf84d65bdbeff90e0c551558899f638d36dace4261ae1d36
Infos:

Detection

Score: 51
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 46
Range: 0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Disables event log channels
Drops executables to the windows directory (C:\Windows) and starts them
Installs new ROOT certificates
Modifies Internet Explorer zonemap settings
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance

barindex
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: certificate valid
Source: Binary string: C:\projects\bouncycastle-pcl\crypto\obj\pcl2\Release\crypto.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2513840378.00000000051D2000.00000002.00000001.01000000.0000000D.sdmp, crypto.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb( source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: Binary string: ^W/c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdbL source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: wevtutil.pdb source: MSI1AE.tmp, 0000000D.00000000.1383361833.00000000001F1000.00000020.00000001.01000000.0000000E.sdmp, 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSI1AE.tmp.9.dr
Source: Binary string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr
Source: Binary string: /c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdbT source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdb source: Security.Cryptography.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\Slab\source\Src\SemanticLogging\obj\Release\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406919885.0000000005192000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdbL source: Security.Cryptography.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: d: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr String found in binary or memory: <LouserzableString Key="FaceBookUrl" Value="https://www.facebook.com/SageFrance"></LouserzableString> equals www.facebook.com (Facebook)
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr String found in binary or memory: <LouserzableString Key="FaceBookUrl" Value="https://www.facebook.com/SageSpain"></LouserzableString> equals www.facebook.com (Facebook)
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:48081/UniSign/
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digi
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Newtonsoft.Json.dll.9.dr String found in binary or memory: http://james.newtonking.com/projects/json
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://s2.symcb.com0
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262957827.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1263241067.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Microsoft .NET Framework 4.5 Web .prq.1.dr String found in binary or memory: http://saturn.installshield.com/is/prerequisites/Microsoft
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001651000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.co
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 00000003.00000002.1368633840.000001DC18813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Newtonsoft.Json.dll.9.dr String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: 46f828.rbs.9.dr String found in binary or memory: http://www.sage.com
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: http://www.sage.comcaRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseCh
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, user.js0.17.dr, user.js.17.dr String found in binary or memory: https://127.0.0.1
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://127.0.0.1:48080/UniSign/
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://127.0.0.1:48080/UniSign//Tq
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.sy
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367526432.000001DC1885F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1369109915.000001DC18865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1367060388.000001DC18886000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: Sage.Eb.UniSign.PCL.dll.9.dr String found in binary or memory: https://plus.google.com/
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.s
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ss
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dyn
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtua
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs(e
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367591097.000001DC1885D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtuha
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr String found in binary or memory: https://twitter.com/sagefrance
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr String found in binary or memory: https://twitter.com/sagespain
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File created: C:\Program Files (x86)\Sage\eIDSign\eIDSignCa.cer Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\46f826.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\46f827.mst Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{9F90421B-05FE-4A89-802E-B4C70995335E} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF9FB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\46f829.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\46f829.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\1033.MST Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI15F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1AE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\46f829.msi Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmp Process token adjusted: Security Jump to behavior
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000000.00000000.1256764960.000000000057D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exe Binary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exe.0.dr Binary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Sage.Eb.UniSign.Windows.exe.9.dr, NSUniSignService.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, UniSignEventSource.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, JsonRestDevice.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Ms.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, XmlEventTextFormatter.cs Suspicious method names: .XmlEventTextFormatter.SanitizeAndWritePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, XmlEventTextFormatter.cs Suspicious method names: .XmlEventTextFormatter.XmlWritePayload
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventCounterPayload.cs Suspicious method names: .EventCounterPayload.GetEnumerator
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventCounter.cs Suspicious method names: .EventCounter.GetEventCounterPayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventTextFormatter.cs Suspicious method names: .EventTextFormatter.FormatPayload
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.ContainsKey
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.TryGetValue
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.Contains
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.Add
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.GetEnumerator
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.Clear
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.CopyTo
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.cs Suspicious method names: .EventPayload.Remove
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventEntryUtil.cs Suspicious method names: .EventEntryUtil.JsonWritePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventEntryUtil.cs Suspicious method names: .EventEntryUtil.JsonSerializePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, SemanticLoggingEventSource.cs Suspicious method names: .SemanticLoggingEventSource.ElasticsearchSinkEntityPayloadCreationFailed
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, SemanticLoggingEventSource.cs Suspicious method names: .SemanticLoggingEventSource.EventEntrySerializePayloadFailed
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr Binary or memory string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406664165.0000000005102000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagno
Source: classification engine Classification label: mal51.phis.spyw.evad.winEXE@27/64@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe File created: C:\Users\user\AppData\Local\Downloaded Installations Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:676:120:WilError_03
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe File created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe File read: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\_ISMSIDEL.INI Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1260766067.0000000000778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Select the language for this installation from the choices below.date blow:@wP106n;
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe File read: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe "C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe"
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 C
Source: unknown Process created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI1AE.tmp "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll"
Source: C:\Windows\Installer\MSI1AE.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI1AE.tmp Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addin
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI1AE.tmp "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addin Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmp Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64 Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmp Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\wevtutil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wevtutil.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wevtutil.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wevtutil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: Launch Sage.Eb.UniSign.Windows.exe.lnk.9.dr LNK file: ..\..\..\..\..\..\..\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe File written: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\_ISMSIDEL.INI Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: certificate valid
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static file information: File size 3287832 > 1048576
Source: Sage.Eb.eIDSign.Windows.Installer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\projects\bouncycastle-pcl\crypto\obj\pcl2\Release\crypto.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2513840378.00000000051D2000.00000002.00000001.01000000.0000000D.sdmp, crypto.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb( source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: Binary string: ^W/c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdbL source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: wevtutil.pdb source: MSI1AE.tmp, 0000000D.00000000.1383361833.00000000001F1000.00000020.00000001.01000000.0000000E.sdmp, 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSI1AE.tmp.9.dr
Source: Binary string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr
Source: Binary string: /c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdbT source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdb source: Security.Cryptography.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\Slab\source\Src\SemanticLogging\obj\Release\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406919885.0000000005192000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdbL source: Security.Cryptography.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: MSI1AE.tmp.9.dr Static PE information: section name: .didat

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI1AE.tmp Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A90B05DEF62436E8FD05D53CE1B2CB74ABE8E9FF Blob Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1AE.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIE8D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\crypto.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Security.Cryptography.dll Jump to dropped file
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe File created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1AE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sage Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sage\Sage.Eb.UniSign.Windows Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sage\Sage.Eb.UniSign.Windows\Launch Sage.Eb.UniSign.Windows.exe.lnk Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 1650000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 3650000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 1100000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 2C70000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: 29E0000 memory reserve | memory write watch
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Window / User API: threadDelayed 784 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE8D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\crypto.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Security.Cryptography.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 2752 Thread sleep count: 201 > 30 Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 2752 Thread sleep count: 784 > 30 Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 6288 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Thread delayed: delay time: 922337203685477
Source: svchost.exe, 00000005.00000002.2506940572.000001A519A4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506736524.000001A519A2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.2507519082.000001A519A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2512922999.000000000401C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: svchost.exe, 00000005.00000002.2506348109.000001A519A0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.2507651446.000001A519A8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506736524.000001A519A2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506940572.000001A519A4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2507338892.000001A519A65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000005.00000002.2507338892.000001A519A65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:stem
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}\sage.eb.eidsign.windows.installer.exe /q"c:\users\user\desktop\sage.eb.eidsign.windows.installer.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}" /is_temp
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\sage.eb.eidsign.windows.msi" transforms="c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="sage.eb.eidsign.windows.installer.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI1AE.tmp "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll"
Source: C:\Windows\Installer\MSI1AE.tmp Process created: C:\Windows\System32\wevtutil.exe "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /fromwow64
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}\sage.eb.eidsign.windows.installer.exe /q"c:\users\user\desktop\sage.eb.eidsign.windows.installer.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}" /is_temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\sage.eb.eidsign.windows.msi" transforms="c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="sage.eb.eidsign.windows.installer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI1AE.tmp "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmp Process created: C:\Windows\System32\wevtutil.exe "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /fromwow64 Jump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr Binary or memory string: BTahomaShell_TrayWnd0x0409t
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\crypto.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.Encoding.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\wevtutil.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sage-Eb-UniSignWindows/Admin Enabled Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 https
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 :Range
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: svchost.exe, 00000006.00000002.2507741300.0000022248B02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.2507741300.0000022248B02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\SysWOW64\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob Jump to behavior
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
No contacted IP infos