Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sage.Eb.eIDSign.Windows.Installer.exe

Overview

General Information

Sample name:Sage.Eb.eIDSign.Windows.Installer.exe
Analysis ID:1560043
MD5:cdaa0b967941fffe97b0d508e696b938
SHA1:3338c896c9416dc683d94696f6861ab28b0bb26f
SHA256:e01aec5472b010bdcf84d65bdbeff90e0c551558899f638d36dace4261ae1d36
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:46
Range:0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Disables event log channels
Drops executables to the windows directory (C:\Windows) and starts them
Installs new ROOT certificates
Modifies Internet Explorer zonemap settings
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64_ra
  • Sage.Eb.eIDSign.Windows.Installer.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" MD5: CDAA0B967941FFFE97B0D508E696B938)
    • Sage.Eb.eIDSign.Windows.Installer.exe (PID: 7132 cmdline: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp MD5: CDAA0B967941FFFE97B0D508E696B938)
      • msiexec.exe (PID: 6800 cmdline: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • explorer.exe (PID: 6696 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6364 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6200 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6312 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 5928 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6672 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msiexec.exe (PID: 5404 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5492 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSI1AE.tmp (PID: 2708 cmdline: "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" MD5: 4967093B32BDDABA9193360A1EF3F649)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wevtutil.exe (PID: 2756 cmdline: "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64 MD5: 1AAE26BD68B911D0420626A27070EB8D)
    • Sage.Eb.UniSign.Windows.exe (PID: 6440 cmdline: "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addin MD5: 8A78B781926C098346364AF319B07300)
      • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Sage.Eb.UniSign.Windows.exe (PID: 1556 cmdline: "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" MD5: 8A78B781926C098346364AF319B07300)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6292, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Compliance

barindex
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: certificate valid
Source: Binary string: C:\projects\bouncycastle-pcl\crypto\obj\pcl2\Release\crypto.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2513840378.00000000051D2000.00000002.00000001.01000000.0000000D.sdmp, crypto.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb( source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: Binary string: ^W/c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdbL source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: wevtutil.pdb source: MSI1AE.tmp, 0000000D.00000000.1383361833.00000000001F1000.00000020.00000001.01000000.0000000E.sdmp, 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSI1AE.tmp.9.dr
Source: Binary string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr
Source: Binary string: /c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdbT source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdb source: Security.Cryptography.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\Slab\source\Src\SemanticLogging\obj\Release\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406919885.0000000005192000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdbL source: Security.Cryptography.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: d:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drString found in binary or memory: <LouserzableString Key="FaceBookUrl" Value="https://www.facebook.com/SageFrance"></LouserzableString> equals www.facebook.com (Facebook)
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drString found in binary or memory: <LouserzableString Key="FaceBookUrl" Value="https://www.facebook.com/SageSpain"></LouserzableString> equals www.facebook.com (Facebook)
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:48081/UniSign/
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Newtonsoft.Json.dll.9.drString found in binary or memory: http://james.newtonking.com/projects/json
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://ocsp.thawte.com0
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://s2.symcb.com0
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262957827.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1263241067.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Microsoft .NET Framework 4.5 Web .prq.1.drString found in binary or memory: http://saturn.installshield.com/is/prerequisites/Microsoft
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001651000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.co
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.drString found in binary or memory: http://sv.symcd.com0&
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 00000003.00000002.1368633840.000001DC18813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drString found in binary or memory: http://www.flexerasoftware.com0
Source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.drString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Newtonsoft.Json.dll.9.drString found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: 46f828.rbs.9.drString found in binary or memory: http://www.sage.com
Source: 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: http://www.sage.comcaRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseCh
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.drString found in binary or memory: http://www.symauth.com/cps0(
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.drString found in binary or memory: http://www.symauth.com/rpa00
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, user.js0.17.dr, user.js.17.drString found in binary or memory: https://127.0.0.1
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://127.0.0.1:48080/UniSign/
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://127.0.0.1:48080/UniSign//Tq
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.sy
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367526432.000001DC1885F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1369109915.000001DC18865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1367060388.000001DC18886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: Sage.Eb.UniSign.PCL.dll.9.drString found in binary or memory: https://plus.google.com/
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.s
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ss
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dyn
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtua
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs(e
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/
Source: svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367591097.000001DC1885D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtuha
Source: svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drString found in binary or memory: https://twitter.com/sagefrance
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drString found in binary or memory: https://twitter.com/sagespain
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508003322.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405256953.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile created: C:\Program Files (x86)\Sage\eIDSign\eIDSignCa.cerJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\46f826.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\46f827.mstJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9F90421B-05FE-4A89-802E-B4C70995335E}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF9FB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\46f829.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\46f829.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\1033.MSTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI15F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1AE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\46f829.msiJump to behavior
Source: C:\Windows\Installer\MSI1AE.tmpProcess token adjusted: SecurityJump to behavior
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000000.00000000.1256764960.000000000057D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exeBinary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exe.0.drBinary or memory string: OriginalFilenameInstallShield Setup.exeP vs Sage.Eb.eIDSign.Windows.Installer.exe
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Sage.Eb.UniSign.Windows.exe.9.dr, NSUniSignService.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, UniSignEventSource.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, JsonRestDevice.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Sage.Eb.UniSign.Windows.exe.9.dr, Ms.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, XmlEventTextFormatter.csSuspicious method names: .XmlEventTextFormatter.SanitizeAndWritePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, XmlEventTextFormatter.csSuspicious method names: .XmlEventTextFormatter.XmlWritePayload
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventCounterPayload.csSuspicious method names: .EventCounterPayload.GetEnumerator
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventCounter.csSuspicious method names: .EventCounter.GetEventCounterPayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventTextFormatter.csSuspicious method names: .EventTextFormatter.FormatPayload
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.ContainsKey
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.TryGetValue
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.Contains
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.Add
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.GetEnumerator
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.Clear
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.CopyTo
Source: Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr, EventPayload.csSuspicious method names: .EventPayload.Remove
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventEntryUtil.csSuspicious method names: .EventEntryUtil.JsonWritePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, EventEntryUtil.csSuspicious method names: .EventEntryUtil.JsonSerializePayload
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, SemanticLoggingEventSource.csSuspicious method names: .SemanticLoggingEventSource.ElasticsearchSinkEntityPayloadCreationFailed
Source: Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr, SemanticLoggingEventSource.csSuspicious method names: .SemanticLoggingEventSource.EventEntrySerializePayloadFailed
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.drBinary or memory string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb
Source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406664165.0000000005102000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagno
Source: classification engineClassification label: mal51.phis.spyw.evad.winEXE@27/64@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\SageJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeFile created: C:\Users\user\AppData\Local\Downloaded InstallationsJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:676:120:WilError_03
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeFile created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeFile read: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\_ISMSIDEL.INIJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1260766067.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Select the language for this installation from the choices below.date blow:@wP106n;
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeFile read: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe "C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe"
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 C
Source: unknownProcess created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI1AE.tmp "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll"
Source: C:\Windows\Installer\MSI1AE.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI1AE.tmpProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addin
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI1AE.tmp "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll"Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe "C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addinJump to behavior
Source: C:\Windows\Installer\MSI1AE.tmpProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64Jump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Installer\MSI1AE.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Installer\MSI1AE.tmpSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wevtutil.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: mscoree.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: version.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Windows\System32\wevtutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Source: Launch Sage.Eb.UniSign.Windows.exe.lnk.9.drLNK file: ..\..\..\..\..\..\..\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeFile written: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\_ISMSIDEL.INIJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: certificate valid
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic file information: File size 3287832 > 1048576
Source: Sage.Eb.eIDSign.Windows.Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\projects\bouncycastle-pcl\crypto\obj\pcl2\Release\crypto.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2513840378.00000000051D2000.00000002.00000001.01000000.0000000D.sdmp, crypto.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb( source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: Binary string: ^W/c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdbL source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: wevtutil.pdb source: MSI1AE.tmp, 0000000D.00000000.1383361833.00000000001F1000.00000020.00000001.01000000.0000000E.sdmp, 46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSI1AE.tmp.9.dr
Source: Binary string: c:\b\4745\3307\src\intermediate\EventSource.V40.csproj_d509c9f3\Release\Microsoft.Diagnostics.Tracing.EventSource.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Diagnostics.Tracing.EventSource.dll.9.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr
Source: Binary string: /c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdbT source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdb source: Security.Cryptography.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\obj\Release\Sage.Eb.UniSign.Windows.pdb source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000000.1367497619.0000000000512000.00000002.00000001.01000000.00000007.sdmp, Sage.Eb.UniSign.Windows.exe.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\UniSignPCL\obj\Release\Sage.Eb.UniSign.PCL.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.dr
Source: Binary string: c:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\Slab\source\Src\SemanticLogging\obj\Release\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1406919885.0000000005192000.00000002.00000001.01000000.0000000B.sdmp, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.dr
Source: Binary string: t:\gregz\work\pw_hashing\clrsecurity\svn\Security.Cryptography\src\obj\Release\Security.Cryptography.pdbL source: Security.Cryptography.dll.9.dr
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net45\Newtonsoft.Json.pdb source: Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1407109280.00000000052C2000.00000002.00000001.01000000.0000000C.sdmp, Newtonsoft.Json.dll.9.dr
Source: MSI1AE.tmp.9.drStatic PE information: section name: .didat

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI1AE.tmpJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A90B05DEF62436E8FD05D53CE1B2CB74ABE8E9FF BlobJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1AE.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIE8D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\crypto.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Security.Cryptography.dllJump to dropped file
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeFile created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1AE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SageJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sage\Sage.Eb.UniSign.WindowsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sage\Sage.Eb.UniSign.Windows\Launch Sage.Eb.UniSign.Windows.exe.lnkJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 1650000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 3650000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 1100000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 2C70000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: 29E0000 memory reserve | memory write watch
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeWindow / User API: threadDelayed 784Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE8D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\crypto.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Security.Cryptography.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{9F90421B-05FE-4A89-802E-B4C70995335E}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 2752Thread sleep count: 201 > 30Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 2752Thread sleep count: 784 > 30Jump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe TID: 6288Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000005.00000002.2506940572.000001A519A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506736524.000001A519A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.2507519082.000001A519A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2512922999.000000000401C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: svchost.exe, 00000005.00000002.2506348109.000001A519A0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.2507651446.000001A519A8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506736524.000001A519A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2506940572.000001A519A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2507338892.000001A519A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000005.00000002.2507338892.000001A519A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:stem
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}\sage.eb.eidsign.windows.installer.exe /q"c:\users\user\desktop\sage.eb.eidsign.windows.installer.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}" /is_temp
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\sage.eb.eidsign.windows.msi" transforms="c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="sage.eb.eidsign.windows.installer.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI1AE.tmp "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll"
Source: C:\Windows\Installer\MSI1AE.tmpProcess created: C:\Windows\System32\wevtutil.exe "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /fromwow64
Source: C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}\sage.eb.eidsign.windows.installer.exe /q"c:\users\user\desktop\sage.eb.eidsign.windows.installer.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{c7a8a1a5-6e4b-4b26-bd0a-b5c9fbe8a2d4}" /is_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\sage.eb.eidsign.windows.msi" transforms="c:\users\user\appdata\local\downloaded installations\{b567d723-533a-4254-abab-0b467014446b}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="sage.eb.eidsign.windows.installer.exe"Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI1AE.tmp "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll"Jump to behavior
Source: C:\Windows\Installer\MSI1AE.tmpProcess created: C:\Windows\System32\wevtutil.exe "c:\windows\installer\msi1ae.tmp" im "c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.man" /rf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /mf:"c:\program files (x86)\sage\eidsign\\sage.eb.unisign.windows.sage-eb-unisignwindows.etwmanifest.dll" /fromwow64Jump to behavior
Source: Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.drBinary or memory string: BTahomaShell_TrayWnd0x0409t
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\crypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Extensions.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.Encoding.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.PCL.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.dll VolumeInformation
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: C:\Windows\System32\wevtutil.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sage-Eb-UniSignWindows/Admin EnabledJump to behavior
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 https
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 :Range
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: svchost.exe, 00000006.00000002.2507741300.0000022248B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.2507741300.0000022248B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\user.js
Source: C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\user.js
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media
1
Windows Management Instrumentation
1
Registry Run Keys / Startup Folder
12
Process Injection
122
Masquerading
1
OS Credential Dumping
1
Query Registry
Remote Services2
Browser Session Hijacking
Data ObfuscationExfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
1
Registry Run Keys / Startup Folder
1
Modify Registry
LSASS Memory41
Security Software Discovery
Remote Desktop Protocol1
Data from Local System
Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
211
Disable or Modify Tools
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook51
Virtualization/Sandbox Evasion
NTDS51
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Install Root Certificate
Cached Domain Credentials11
Peripheral Device Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSync2
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion
Proc Filesystem23
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1560043 Sample: Sage.Eb.eIDSign.Windows.Ins... Startdate: 21/11/2024 Architecture: WINDOWS Score: 51 6 msiexec.exe 110 58 2->6         started        10 svchost.exe 2->10         started        12 Sage.Eb.UniSign.Windows.exe 3 47 2->12         started        14 5 other processes 2->14 file3 48 C:\...\Sage.Eb.UniSign.Windows.exe, PE32 6->48 dropped 50 C:\...\Sage.Eb.UniSign.Windows.exe.config, XML 6->50 dropped 52 Sage.Eb.UniSign.Wi...67C642667C0FAB6.exe, PE32 6->52 dropped 56 9 other files (none is malicious) 6->56 dropped 64 Drops executables to the windows directory (C:\Windows) and starts them 6->64 16 Sage.Eb.UniSign.Windows.exe 6->16         started        20 MSI1AE.tmp 1 6->20         started        22 msiexec.exe 6->22         started        66 Changes security center settings (notifications, updates, antivirus, firewall) 10->66 24 MpCmdRun.exe 10->24         started        68 Installs new ROOT certificates 12->68 54 C:\...\Sage.Eb.eIDSign.Windows.Installer.exe, PE32 14->54 dropped 26 Sage.Eb.eIDSign.Windows.Installer.exe 20 14->26         started        signatures4 process5 file6 42 C:\Users\user\AppData\Roaming\...\user.js, ASCII 16->42 dropped 44 C:\Users\user\AppData\Roaming\...\user.js, ASCII 16->44 dropped 58 Overwrites Mozilla Firefox settings 16->58 60 Tries to harvest and steal browser information (history, passwords, etc) 16->60 62 Modifies Internet Explorer zonemap settings 16->62 28 conhost.exe 16->28         started        30 wevtutil.exe 34 1 20->30         started        33 conhost.exe 20->33         started        35 conhost.exe 24->35         started        37 msiexec.exe 7 26->37         started        40 explorer.exe 26->40         started        signatures7 process8 file9 70 Disables event log channels 30->70 46 C:\Users\user\AppData\Local\...\MSIE8D5.tmp, PE32 37->46 dropped signatures10

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Sage.Eb.eIDSign.Windows.Installer.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSIE8D5.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe0%ReversingLabs
C:\Windows\Installer\MSI1AE.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://127.0.0.1:48080/UniSign//Tq0%Avira URL Cloudsafe
https://127.0.0.1:48080/UniSign/0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtua0%Avira URL Cloudsafe
https://t0.s0%Avira URL Cloudsafe
http://www.sage.comcaRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseCh0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic0%Avira URL Cloudsafe
https://t0.ssl.ak.dyn0%Avira URL Cloudsafe
https://127.0.0.10%Avira URL Cloudsafe
http://127.0.0.1:48081/UniSign/0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtuha0%Avira URL Cloudsafe
http://sv.symcb.co0%Avira URL Cloudsafe
https://t0.ss0%Avira URL Cloudsafe
https://d.sy0%Avira URL Cloudsafe
http://saturn.installshield.com/is/prerequisites/Microsoft0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpfalse
    high
    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://twitter.com/sagespainSage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drfalse
          high
          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dSage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.eIDSign.Windows.Installer.exe.0.drfalse
              high
              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367526432.000001DC1885F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1369109915.000001DC18865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://crl.thawte.com/ThawteTimestampingCA.crl046f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drfalse
                        high
                        https://twitter.com/sagefranceSage.Eb.UniSign.Windows.exe, 00000011.00000002.1406436370.00000000050B2000.00000002.00000001.01000000.00000009.sdmp, Sage.Eb.UniSign.PCL.dll.9.drfalse
                          high
                          http://cacerts.digiSage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://saturn.installshield.com/is/prerequisites/MicrosoftSage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262957827.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1262729024.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, 00000001.00000003.1263241067.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Microsoft .NET Framework 4.5 Web .prq.1.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://t0.ssl.ak.dynamicsvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://d.sySage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://t0.ssl.ak.dynamic.tiles.virtuhasvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001651000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.flexerasoftware.com046f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drfalse
                                high
                                http://www.bingmapsportal.comsvchost.exe, 00000003.00000002.1368633840.000001DC18813000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1367870665.000001DC1885A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://www.sage.comcaRemoveVRoots1ISCHECKFORPRODUCTUPDATESAllUsersApplicationUsersNoAgreeToLicenseCh46f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://127.0.0.1:48080/UniSign//TqSage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://t0.ssvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs(esvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.1367591097.000001DC1885D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000003.00000003.1367060388.000001DC18886000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://ocsp.thawte.com046f826.msi.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, MSIE8D5.tmp.8.drfalse
                                                high
                                                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000003.00000002.1368729683.000001DC18827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367405105.000001DC18867000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368966076.000001DC1883F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://t0.sssvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://t0.ssl.ak.dynamic.tiles.virtuasvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.symauth.com/cps0(Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.drfalse
                                                                high
                                                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.9.drfalse
                                                                        high
                                                                        http://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.9.drfalse
                                                                          high
                                                                          https://plus.google.com/Sage.Eb.UniSign.PCL.dll.9.drfalse
                                                                            high
                                                                            https://t0.ssl.ak.dynsvchost.exe, 00000003.00000003.1367973454.000001DC18833000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368902923.000001DC18836000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000002.1368998189.000001DC18844000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://127.0.0.1:48080/UniSign/Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2505995436.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://dynamic.tsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://127.0.0.1Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1405684329.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, user.js0.17.dr, user.js.17.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                http://www.symauth.com/rpa00Sage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, Sage.Eb.eIDSign.Windows.Installer.exe, Sage.Eb.UniSign.Wi_37336D9213AE4656967C642667C0FAB6.exe.9.dr, Sage.Eb.UniSign.PCL.dll.9.dr, Newtonsoft.Json.dll.9.dr, 46f826.msi.9.dr, 1033.MST.9.dr, Sage.Eb.eIDSign.Windows.msi0.1.dr, 46f829.msi.9.dr, 1033.MST.1.dr, Security.Cryptography.dll.9.dr, MSIF9FB.tmp.9.dr, 46f827.mst.9.dr, Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.9.dr, ARPPRODUCTICON.exe.9.dr, Sage.Eb.eIDSign.Windows.Installer.exe.0.dr, Sage.Eb.eIDSign.Windows.msi.1.dr, crypto.dll.9.dr, 1033.MST0.1.dr, MSIE8D5.tmp.8.dr, Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.9.drfalse
                                                                                  high
                                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000003.00000002.1369081136.000001DC18859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://127.0.0.1:48081/UniSign/Sage.Eb.UniSign.Windows.exe, 0000000C.00000002.2508602786.0000000001687000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        unknown
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://sv.symcb.coSage.Eb.UniSign.Windows.exe, 00000011.00000002.1404057269.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000003.00000003.1367631321.000001DC18858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://www.sage.com46f828.rbs.9.drfalse
                                                                                                high
                                                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000003.00000002.1369165371.000001DC18881000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.1367919916.000001DC18841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1368998189.000001DC1884B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1367433947.000001DC18862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    No contacted IP infos
                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1560043
                                                                                                    Start date and time:2024-11-21 10:42:39 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 6m 0s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:24
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal51.phis.spyw.evad.winEXE@27/64@0/0
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • VT rate limit hit for: Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    TimeTypeDescription
                                                                                                    04:44:14API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                    No context
                                                                                                    No context
                                                                                                    No context
                                                                                                    No context
                                                                                                    No context
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13105
                                                                                                    Entropy (8bit):5.820799841485841
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:KDB1W57iG3AeQNdlQsGIGvNdlQsGI1BxSp6dTTdWjdE+sYdlgdu:KZnNPGDNPGwxSp6dTYjWsgw
                                                                                                    MD5:EC79843F0199C1FD158DB55727AC62B9
                                                                                                    SHA1:43B0BA455D62A6E58129383C597DE9EA1FD9FF00
                                                                                                    SHA-256:62B7CAF035A65868A11D9AACC7E3E5B40E5B68A530FB596097CDB701DF0269A0
                                                                                                    SHA-512:D1BCBAE6D89E736EAFE360AC7CCF1F356B1170A38464D5EB5B66DB07A691169F7ED5644A342020D77CADA5AEBE55AEEF18E4023873C780E8744356880176CB5D
                                                                                                    Malicious:false
                                                                                                    Preview:...@IXOS.@.....@l%uY.@.....@.....@.....@.....@.....@......&.{9F90421B-05FE-4A89-802E-B4C70995335E}..Sage.Eb.eIDSign.Windows..Sage.Eb.eIDSign.Windows.msi.@.....@d....@.....@......ARPPRODUCTICON.exe..&.{B567D723-533A-4254-ABAB-0B467014446B}.....@.....@.....@.....@.......@.....@.....@.......@......Sage.Eb.eIDSign.Windows......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{15E91DFE-7F0C-4482-8E5C-0A34C86440A4}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{0FFA3691-D8F4-42B3-A394-695571A730CB}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{3822BA65-FD66-444D-AC60-006E2115D8E6}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{36800176-08C9-4EC3-A7D5-DC0F3049CE59}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{3BE4FAED-CCB8-4361-B090-B651F0E25755}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{93EDB208-CC90-414C-9922-638B530D689B}&.{9F90421B-05FE-4A89-802E-B4C70995335E}.@......&.{5A
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):573
                                                                                                    Entropy (8bit):5.350455796541954
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:EgFBgaN8MuIu849ijXj//j/urfN+YVjhXYoI3XZl:tBg+49ijjznYV1NInZl
                                                                                                    MD5:E4655F8A8AA2A1F8ADDFAA7EB78D2C71
                                                                                                    SHA1:75415A257EF1B534AD7B7DD31ED559E8A1241763
                                                                                                    SHA-256:D77A6C5AA76BBEEB0BDA9D51BAF26B40C0122CE472ED9507C6D83BDECB1EF67D
                                                                                                    SHA-512:3494E647865BCA003A8D6D672A64CE6FD9AA5F459F442A4BCCB6701A6D54A74495BC01F531EA277EEFC72A8A7A23A8E70BA3897F6B315072C4D3708AF355A048
                                                                                                    Malicious:false
                                                                                                    Preview:...@IXOS.@.....@m%uY.@.....@.....@.....@.....@.....@......&.{9F90421B-05FE-4A89-802E-B4C70995335E}..Sage.Eb.eIDSign.Windows..Sage.Eb.eIDSign.Windows.msi.@.....@d....@.....@......ARPPRODUCTICON.exe..&.{B567D723-533A-4254-ABAB-0B467014446B}.....@.....@.....@.....@.......@.....@.....@.......@......Sage.Eb.eIDSign.Windows......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallFinalize$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\46f827.mst..#0...@.....@.....@....
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):162792
                                                                                                    Entropy (8bit):6.064632301486864
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:hV7Uuhwv/apbC9vLBc2Tgy5isJ9hQlINH7Ltu/oe:75o/apbkvLXgkr7p7Ze
                                                                                                    MD5:947828C310A73DD100EA436E970411BE
                                                                                                    SHA1:DD31DF78350B5AD819F2AF3BD498E1B7D72364ED
                                                                                                    SHA-256:F234C245BF5A73116195F1961D7630A60383C62F58CF726128D24A86B1C282AB
                                                                                                    SHA-512:36A28182CDB4E8E7195D3E7FFADBADAF8CF72A164C814125B40284A5C685FE19E715011126DD1B065BEEA31F439CCD1CEADED8305F0F363ECBF427FD72314CD0
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.^V...........!.....R...........p... ........... ...................................`..................................p..O.......X............\..............to............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...X............T..............@..@.reloc...............Z..............@..B.................p......H........3...;...............0..P ......................................$.f".``.ic..%.&,...`=.VK....;|.p.nf.A].Q.b.,._Z.$..m..>.Y..=kSj8..UO...=..H1..%+...p.;.4q.....W.u_..s..ap...b..Cv.h..b.r.2a.0..{........{....-2.{....,.*..}....~^.... ....jo....,..(.....{....-.*.{....o.........(.....~^.....o....,..r...p.o.....r...p.(....o.....,d.{.....d21..~...........~..........o....,..rO..pre..po....*..._-#...(......,.......(.....{....o......-......(......+..|....(........(#........
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):114176
                                                                                                    Entropy (8bit):5.988660987603693
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:fs4buSHi/yEE2zaA0Jje66DYu6AVdb4TrjkAsczpfum4VwCbG28TOmnIW0gFVX:f1w/PcJfu74T5pfuzwCF8l0o1
                                                                                                    MD5:47C23D24C73824A2DA928D126168E476
                                                                                                    SHA1:7E31DBDC15D077D1D94C25BCEA842FE92ADCE61D
                                                                                                    SHA-256:72FB5C7DF39DCE95DB1313B4D84BF8FB7AACF32D1D26BF448C962A2E71EB10C1
                                                                                                    SHA-512:85F1BC6BEC5074412BADEB180013249F66F3D5BC0DE18EA85FB0A2AEAAE9FD85BE3F629D4EB19104CFBA04E56038D4863F9851E33D34E6502D1751E1BCA13C66
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.a...........!.................... ........... ..............................^.....`.................................x...S........................ ..........@................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......d................n..b+..........................................v.r...p(S....o.....{....(....*...0..5........r...p(S...s.......(.....r...p(....o....(...+(+...&.*r.r1..prI..p( ...}.....(!...*R#.......@("........*:..(..........*6..(....(...+*6..{....o#...*r.r...prI..p( ...}.....(!...*v.r...p(S....o.....{....(....*....0.."........r...p(S...s......(...+...o}...&.*r.r...prI..p( ...}.....(!...*:..(..........*...0............(..........($....r ..p(....o....(%...%-.&......o&.
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):529328
                                                                                                    Entropy (8bit):5.870856736649808
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:J5EkBxq1zzeUy5vFuB0PGA4ehKnKLCRWsNfcDV2HjVnDPAZ6KIXqBW8YaBmBFArQ:bx/uB0RKOBD6BZVzl
                                                                                                    MD5:0098DB0CB2B8EE9C20D8669CD126D179
                                                                                                    SHA1:8C9F832E3DC9935568CE3A09917596ED9DDE7062
                                                                                                    SHA-256:A862744AD59CD768B8729D5A38811093D8F05ED59987FE58AC31E85B4E2ACDB8
                                                                                                    SHA-512:D45B66963B7B822341C4EF8C601E891969AA31A93138D506B2A7191A5B59B60D7D1971BAB0A19B54490568B71A8EF6FBB289988D5D4F7A859A945DA562D41C40
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.V.........." ..0.............R.... ... ....... .......................`............`.....................................O.... ..T....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...T.... ......................@..@.reloc.......@......................@..B................4.......H........+..................X...H.........................................{....*"..}....*..(....*:.(......}....*"..(....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*...0...........{%......(....-..*..(....*6..s....}%...*.0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*:.(......(....*.~)...*...)...*&...(#...*.0..C.........(.
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):70584
                                                                                                    Entropy (8bit):5.875115680768748
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:dbKxEMn06mkTqDwGNdB5oL/dkvsv0d/L6VOYzcpA+AC5x6DudR/VIsqogFhYhA:9aEckk+DwyXo5y609L6ql5KudRBFgFV
                                                                                                    MD5:7C26ACBBA493C9C7A8C9C897A6B62D83
                                                                                                    SHA1:05BC8E652D12074343C0EAF523CF6A756A8A94AC
                                                                                                    SHA-256:FE33AEFC826D0ADD080C761043636A7D15A7D5C0962006F458BF0E73027CD86B
                                                                                                    SHA-512:E9046003FE6975E4DC67A6145C6E55AFAFA6908C95E906837371DBB5339E41A7652361E0C246C993A7D162B0FE115393813FBE6EBB7D9DD46D11ABF6EA777774
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..b...........!................~.... ... ....... .......................`......)`....@.................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............'...........,..h.............................................(......}......}......}......}....*:.(......}....*V.(......}......}....*..(......}......}......}......}......}....*..(....*V.(......}......}....*V.(......}......}....*r.(......}......}......}....*:.(......}....*.0..S........,((....r...p.........r...p...r!..p..(....*(....r...p.........r5..p...r!..p..(....*..0..m........,5(....r?..p.........r...p...r!..p... ..........(....*(....r?..p.........r5..p...r!..p
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):19984
                                                                                                    Entropy (8bit):5.492254242064505
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:Vt33pLfcahg5W1x8/FuqEVrX9UpiqPbYJD4VPtDPzxTVzy5orMkTS1cbwU3SxBZc:RfvnxBUvS8VPdLxTVzySrMgFt3Ih
                                                                                                    MD5:E850533BE2259BB16B6DD8B5F5678172
                                                                                                    SHA1:248B8855F6E6BF7A4708E5C60036542E5256C11C
                                                                                                    SHA-256:DE1E1E6F1F6C5648C211C2ED360F915B95C190D79FBB6113A5681F09AB59F95E
                                                                                                    SHA-512:6BC40A1AFB253681A0BE7D7D5FB6956C0E543B444A5441DBD33EB083EF3B506BEFE6B72B1B3758686A0265D3EB850612CE0780019B986919C5D0549B61847469
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d..b...........!.........(......."... ...@....... .............................../....@.................................."..K....@...%............... ........................................................... ............... ..H............text........ ...................... ..`.rsrc....%...@...&..................@..@.reloc...............,..............@..B................."......H.......P ..P...........................................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......<...#Blob.....................%3............................................r.R.....R...........................................................................I........<Module>.Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll.mscorlib.System.Runtime.CompilerServices.CompilationRelaxationsAttribut
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:ASCII text, with very long lines (493), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):15161
                                                                                                    Entropy (8bit):4.983065142168511
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:pm52Vld8jbvWb1T+mWgQmCmBeeYxT25De1mmflsodFvzz12kaGqE4ugWOcPRmzSo:QsibI8mmfT5PRmmBoCorcyP7o0PCtwCk
                                                                                                    MD5:757A04A40753463A876D471A99AFA6C1
                                                                                                    SHA1:0470F2363D48F4D78D9B610099D90D11C4239210
                                                                                                    SHA-256:F257D132FDDE453827EA6ED9C109CCF27677BF59E4AAA47A3D690E75986242A1
                                                                                                    SHA-512:132C6FEC8B76CB2BE32CD950EEDECA086CA5C85EE0824E9037932FE93859834E3555E71FD8D84DC24A70BF59B7FB4FBF72A21DC43010324C8B11D67298BFE953
                                                                                                    Malicious:false
                                                                                                    Preview:<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">.. <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.. <events xmlns="http://schemas.microsoft.com/win/2004/08/events">..<provider name="Sage-Eb-UniSignWindows" guid="{59a5d327-553f-5b27-9a3b-89b17532dd9d}" resourceFileName="C:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\bin\Release\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" messageFileName="C:\Builds\eIDSign\Ebanking\eIDSign.Current\eIDSign\Current\Src\NativeServices\NSUniSignWindows\bin\Release\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" symbol="SageEbUniSignWindows">.. <channels>.. <channel chid="Admin" name="Sage-Eb-UniSignWindows/Admin" value="16" type="Admin" enabled="true"/>.. <channel chid="Debug" name="Sage-Eb-UniSignWindow
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):178624
                                                                                                    Entropy (8bit):6.1497572533017175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:RCNmDA+hdmV9tg9SzdOX4cov9P2IDIfg9iKQxM/NDes6eudZtjoe:xhdytbOX4csBkfg9iK567
                                                                                                    MD5:8A78B781926C098346364AF319B07300
                                                                                                    SHA1:D7CAD3F6386E4EFF1303FBAD8E189DB85CD5C27A
                                                                                                    SHA-256:0DFFE53A53BAF975C4E1D499C5A598E297A885E9E5CF4ADB802C27F332078770
                                                                                                    SHA-512:072B25F9B47FAF8E1C030D21A891930AB026982A1BA2085797A76EDD5D28F986B2C967036CA11AB405F12EDB8224779287CF2E00FD74024B7A12135AC9C4BFA3
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..b............................~.... ........@.. ....................................`.................................$...W................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H...........L.......H...................................................:.(......}....*..0..c..........,..o........{....{....,=.{....{....,0.{....{....(....,..{....{.....{....{.....(.......,..o.....*..0..J..........,..o........{....{....,$.{....{....(....,..{....{....(.......,..o.....*...0..e..........,..o........{....{.......YE............(...........+".(.....+..(.....+..(.....+..(......,..o.....*....0..i..........{....{....(......{....{.....( ....{....{!...,....(....%...{..
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):463
                                                                                                    Entropy (8bit):4.894531448660677
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:MMHdGcOXrfx2p/7eUbayQlf+GPmyQlYV+GP5Nl/X+m3xT:JdbpRayjyh
                                                                                                    MD5:FF107A30701263E553CA2F03C77D74DC
                                                                                                    SHA1:628582A8F44DDB39195DE9F94DB6838BDC246AC0
                                                                                                    SHA-256:34F220AFD9575F0EF5F4B6A0949652CF2B75C8DE786728FE7A039F3AF9157297
                                                                                                    SHA-512:EEF91DE3F7AABD7310B611035FFEC5F2556125400193AC890401447F7581E7935A7B94BA0D9FC8ADD5F061FF6F4A16520134C056015354F2CB1A0311292F0325
                                                                                                    Malicious:true
                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="UseSecureChannel" value="true" />.. <add key="SecureChannelCertificateName" value="" />.. <add key="DefaultAuthScheme" value="Ntlm" />.. <add key="EdgeBrowserSupport" value="true" />.. <add key="AuthCorsOriginSupport" value="false" />.. <add key="AuthCorsOriginList" value="" />.. <add key="UseFirefox" value="true" />.. </appSettings>..</configuration>
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):105408
                                                                                                    Entropy (8bit):6.105521617548838
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:kgpIXK5cdud5U4dZFJvtYXFijAtbdxpV7hoot:xHR5UldxP5
                                                                                                    MD5:7F484EED8E8684364430EFFC0DF261AB
                                                                                                    SHA1:9CB3FCA6868797BB8F95E323303B2B4C34416B36
                                                                                                    SHA-256:BFA1DAC94DCDF832FEFFD5022817DA7D7DB0D96B50EE07FECA4299531C139232
                                                                                                    SHA-512:8BDC13D4C5F3FD3FD08925E20B86A478FE59939141E2DE13EFF862C4BCDAB5A7D23C06E23AEE862E877BB65B7A8E5ED7816E9385BEE0EFD82E7E4922956F58C1
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.JT...........!.....r..........~.... ........... ...............................^....@.................................$...W....................|.............................................................. ............... ..H............text....q... ...r.................. ..`.rsrc................t..............@..@.reloc...............z..............@..B................`.......H.......................P...............................................2.('...(....*....0...........(......(....,.r...ps....z.r%..ps......{.....{....s....}.....{.....{....o.....{.....{ ...o!....{.....{"...o#....{.....{$...o%...*....0..!........,..{....,..{....o&.......('....*...................2.{....o(...*6.{.....o....*2.{....o....*6.{.....o....*2.{....o)...*6.{.....o*...*2.{....o+...*6.{.....o,...*2.{....o-...*6.{.....o....*2.{....o/...*6.{.....o!...*2.{....o0...*2.{....o0
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2080672
                                                                                                    Entropy (8bit):5.94116445536694
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:K8PdXoftY6Th9DSJs2HXTUbEcjAmZ0331HTkHw1dhRaslh:RXoFPTh9DSlodih
                                                                                                    MD5:5B84DE8B9B5D25E4AC038E370F31D3D4
                                                                                                    SHA1:A5FEE7F9FEE31E3B9BE4A81E489734B49214897D
                                                                                                    SHA-256:6135D56154CDCE6736D29CAE4EA34EB7257522FCC79677857F9FB328784101D3
                                                                                                    SHA-512:962985AEF2521B484025AD583AEFDEFA63862691317614CF9962385D769D7E30F4EDFF752F8298B17E766AC29C8A32F3DE035C0B20DC110452229ADB22E9D048
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V.........." ..0..p... .......n... ........... ..............................Y.....@..................................n..O...................................Xm............................................... ............... ..H............text....`... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    File Type:Certificate, Version=3
                                                                                                    Category:dropped
                                                                                                    Size (bytes):879
                                                                                                    Entropy (8bit):7.380706488586262
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:9hStgbduQDPXgbs7HFxOHjN7UgBFtAyHhgmzfSEErMptK9q0sYq9dj0n:PStgbdFgbs7HFynztAG7aVsw
                                                                                                    MD5:BAA7F8400041A0C0D15C3A286B60756F
                                                                                                    SHA1:A90B05DEF62436E8FD05D53CE1B2CB74ABE8E9FF
                                                                                                    SHA-256:7C96A81C0706E86837132F6C855EAA879E6FC30E7F50228A0528570B77BD0475
                                                                                                    SHA-512:794E5D28660826595AEDC7B57F7FB68D6D84AD482F591440D359A8B3286E836EFC9318E9BB1D6DF7BC7D7407360D3ECF43D68FA8C80B13138863351D54546F0E
                                                                                                    Malicious:false
                                                                                                    Preview:0..k0..S.............1..p......0...*.H........0?1.0...U....SageeIDSignCA1.0...U....UniSign1.0...U....SageFrance0...241120094325Z..291121094325Z0?1.0...U....SageeIDSignCA1.0...U....UniSign1.0...U....SageFrance0.."0...*.H.............0.........b.]e..V...;..(.q..TU..a4B...4H.....=Rk.. ...hVd.&.GP.Q.$.>.y`O..Oe.-.K.v.r...k+..".....A.....^.....f..".KE..gQ..z...)q...n1S.V.of...6....C~.....D....\....qD\y.z\Z .....b.O../....Gy~.!.R`Y..N..Y.....%...[.Rq..u.gl..n2.r6.>..[.U..W..Z...J-..p.........c0a0...U...........0...U.......0....0...U.#..0...../.._..Y|M.W.p$0...U......../.._..Y|M.W.p$0...*.H..............'.f....H.t..%u.....].H..F1j....u.......B$.1{kc......p.K.M..Q...s|..[...b...Lt..>.05I6...."..,.Y.V.........ax.8tD..e.u.....o.!70v...C.."..QT..s..:..1.Or.h>.j.....x.%z..V...."H(.<C..I..C0./k......+..2C.."Q\A.......Wu|.i..Q.>.=......;...._....3.
                                                                                                    Process:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2224
                                                                                                    Entropy (8bit):7.631584530161706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:nii40BjUIJjg8erSrobtqwDBVQsOZH1IMvIJTh7:nih0BjhVgNSro5g3+b7
                                                                                                    MD5:DA3F4B0F6D6628E06F481565A3CB12EF
                                                                                                    SHA1:CFB79597782900D1C3531AFEE9F40BD35EB79715
                                                                                                    SHA-256:C533CFBD4BB51DE0C9F8CBB6059F14E01D71ED5E6FCA066E3B374D97A62B45E9
                                                                                                    SHA-512:3387D2C7D1F2CD89E5DA7C4FF2A4ACA3CAA70F011E05756E625A9EAC1BAD6421F8CE41C0520379E4ABB10131E4621F46EE34A5C571D96FD5FF21F0390F7B42A9
                                                                                                    Malicious:false
                                                                                                    Preview:........................P...............SageeIDSign.....................RSA1.................D.a..:d..._5.,.....x...|^U...#d..zq'.!..3.O.KM..,..-..w.[3..j...l(....(El.cR.....K...Rtm.x..H.....uAj...R....IL.D.....q.F=.2i.+...=.....4....y...sL..uY.z#ZW......D>z./.%b..p[...,^T.....H._...A.........5[......^..../....Lhx.tcYX._.Ol.f......................z..O......lc.&..6I.0...1".....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...V#P.x..#.eF..3*6...K...k.@.W............... .........F +u.6j|6..9.7(O.?..=~.P....q$.v9.z).wh.../.d.w.....5MH.......[..S`D.U@....}i....`.\.....h..p..UI..8U..)N.i?8S0 ...x..Q..(.{z.i...`..S.&.'....F..`@F....&.....f....%.:...Bg.........KC...7.......Z~fT.........\.T\.f.a.....-.....w.E.I..X.......i..........\(xi(.ZKYh.#R..W....FA.TpX~......bfS..XE...0....OS...1..R.b^....R-.....?.$.T........mHS.2..0@.R.)w...#....b.l.s.-D.)4x*.A.o.6h.H.;..G*.&....I .c.#Tv...[.._..e..63...H......c.{)@ ..._...rE.b..b.C\..[...1s.0.../T.
                                                                                                    Process:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1456
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:06AF37DAC237DA1F1B8DA95A9CDC1328
                                                                                                    SHA1:17F9213FBB42D3AA38FDCEBF51BCD4AA2DD4402D
                                                                                                    SHA-256:F42AC9F0D388A01081157FA77EE261A09B07C7B8284187E7D1FD477880B92C45
                                                                                                    SHA-512:897166B1FBCCC52C7A3E34A709A441C56498BE0B5FAD5F8E78141F4DFE283036644C4EFB0D8D85193D04A1BF29F9C70C9C2C6F6227E388F14BDFA19A95C80B3E
                                                                                                    Malicious:false
                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2815
                                                                                                    Entropy (8bit):2.8620810863791006
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:85sX7ZXbJkHu58MMCjBbJku58MMC+dxqIO5BbJku58MMCd7SUhJWBbJku58MMC:85srZXbyORMcBbPRMqT5BbPRM+JWBbPK
                                                                                                    MD5:D6102BA4A5D829846BC060BFFE36AB5C
                                                                                                    SHA1:2777CE592B7962CBD56B28A17093BFD4D7DE1CBC
                                                                                                    SHA-256:5B9D997EDE742C00B12ED5DEE640CF3C77B415AB82B570ADF358F9D48E38EB18
                                                                                                    SHA-512:25075E57724C242733BD3C2B0F3A283FF3081ACFB6D2758C1708133C6933FCF8DEFE6105B4C4FA0F799ECFFFFFDE035683351797141740AAD70AE08F494B2AB4
                                                                                                    Malicious:false
                                                                                                    Preview:L..................F.P......................................................3....P.O. .:i.....+00.../C:\...................V.1.....uYeM..Windows.@......OwHuYeM....3.........................W.i.n.d.o.w.s.....\.1.....uYlM..Installer.D......O.IuYlM..........................I.N.I.n.s.t.a.l.l.e.r.......1.....uYlM..{9F904~1..~......uYlMuYlM....=.....................I.N.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.......2.....uYlM!.SAGEEB~1.EXE.........uYlMuYlM....?......................zL.S.a.g.e...E.b...U.n.i.S.i.g.n...W.i._.3.7.3.3.6.D.9.2.1.3.A.E.4.6.5.6.9.6.7.C.6.4.2.6.6.7.C.0.F.A.B.6...e.x.e.............\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.\.S.a.g.e...E.b...U.n.i.S.i.g.n...W.i._.3.7.3.3.6.D.9.2.1.3.A.E.4.6.5.6.9.6.7.C.6.4.2.6.6.7.C.0.F.A.B.6...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.a.g.e.\.e.I.D.S.i.g.n.\...N.o.S.e.r.v.i.c
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Blank Project Template, Author: Sage, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Feb 8 17:38:06 2022, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: Intel;0,1033,1036,1034, Last Saved By: Intel;1033, Revision Number: {9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{75C82E09-EB7C-4612-8FAD-E0B8438B7465}, Number of Pages: 405, Number of Characters: 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):28672
                                                                                                    Entropy (8bit):3.806858610117486
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:vy+ywR2G66T0scKLTTRyp1uDnWMeElfC9zljFYqy83JUfhdyEi7ZHeE2fa:vy02rkTS1cbwaq9BZHUa
                                                                                                    MD5:52CF12F6B1F34366D694B8B6A43BDA11
                                                                                                    SHA1:4FAD14CC4C1BDCD0037AAADAFD686298703B2E27
                                                                                                    SHA-256:4F67C097F6A81621B030670E37D181775273B1298FD4177AD11EEAD8CFBE19E1
                                                                                                    SHA-512:67845A684A0B8471BEB35BD6A41AC5979E69B15E5272685318A3089742885E32503F6E988BE06CD9AC67435342830DA7F72DBE09C0E83B5F12E8015FBA3A40A5
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Sage, Security: 1, Number of Pages: 405, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Tue Feb 8 17:38:05 2022, Create Time/Date: Tue Feb 8 17:38:05 2022, Last Printed: Tue Feb 8 17:38:05 2022, Revision Number: {B567D723-533A-4254-ABAB-0B467014446B}, Code page: 0, Template: Intel;0,1033,1036,1034
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2143232
                                                                                                    Entropy (8bit):7.489754983454214
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:J36po9md6YyZJUptQ3TiHKYGR20dkvUVF+JPe6mKwndo:spo1YyZyD06QFW
                                                                                                    MD5:48434529CD823B4226D8D108EF7D9C3B
                                                                                                    SHA1:5533519B1567D06D1E894DA237F30B886FE197FB
                                                                                                    SHA-256:5D8FB50B83E1FB3BE414C177B41CFEF8870AF03958A18E4F683C75346D40E2E5
                                                                                                    SHA-512:9401CD6ADF3A2B7A4CE0A9E950503094F28054F7BC2E30D67AC720DFB15805CFB07C345EF4EFDC8BA156D05DE8E951C42F5375634FB8EE4EBE2B7E3BE4C0EC74
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...................!...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...............................................................................................#................... ...!...".......$...-...&...'...(...)...*...+...,...1......./...0...3...2...F...4...5...6...7...A...M...:...<.......=.......?...@...R...B...C...D...E...H...G..._...I...J...P...L...N.......O.......Q...Z...S...G...U...V...W...X...Y...E...[...\...]...^...a...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (326), with CRLF, LF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):341012
                                                                                                    Entropy (8bit):3.8151761287354202
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:3EZoFXTG+xL4C0rQJRxCRubKS8XkssjHv8em4YoyLYsrNkK+6qyamFyFHdjAi7RQ:3qaMjHWdYr4sUpQqv/hIjOjvsw+
                                                                                                    MD5:2C4DF289418B06F25D4AB960A9C99D52
                                                                                                    SHA1:A7993B3F53156D806B0F93A6C285F8558B035E26
                                                                                                    SHA-256:7B343049E567B4C880AB6FEA4CFAE268889DBA1561875B77EDB3064FF7CAB248
                                                                                                    SHA-512:3DA807A106529EF95D3474BFC42AEE476E569690F30D493CD6F2AF8FB2D53FD34BDBC56AA28012ECED5B1BE701D25EB015C394A7D4643B1261993A10E8E41DAB
                                                                                                    Malicious:false
                                                                                                    Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.1./.1.1./.2.0.2.4. . .0.4.:.4.3.:.1.8. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.M.S.I.E.X.E.C...E.X.E. .=.=.=.....M.S.I. .(.c.). .(.9.0.:.7.C.). .[.0.4.:.4.3.:.1.8.:.4.1.3.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.9.0.:.7.C.). .[.0.4.:.4.3.:.1.8.:.4.1.3.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.9.0.:.8.8.). .[.0.4.:.4.3.:.1.8.:.4.4.5.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.0.:.8.8.). .[.0.4.:.4.3.:.1.8.:.4.4.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .
                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):156928
                                                                                                    Entropy (8bit):6.026110732768864
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:jMDwFKjZflbbgcS6Kbd1g+GCnm0CxiPS7jJ2:jkjrbkcSPybH78
                                                                                                    MD5:A7B832F632A3C7F5317C17C095C97437
                                                                                                    SHA1:4233053B7FA9E17850545519570EE76FBB8B04DF
                                                                                                    SHA-256:3D42CFFE19C21D9E10778819EF7A664A135B1115F0284DBC3EB4B49740B3B4A1
                                                                                                    SHA-512:CB89F84D86C2EB5DBCECA24E55BB054CD899BA368543DC81F3162D113BB056BD65244414EFF8379114C07CCFA7C08D6BFDDA8213C45F9B0188D5DEA42113F540
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..7=..d=..d=..d..#d,..d.. d;..d.. d<..d..!d...d.. dN..d4.md>..d4.}d"..d=..d,..d..!d+..d..$d<..d..'d<..d=.yd<..d.."d<..dRich=..d........................PE..L.....yY...........!.....J..........F........`......................................x...............................p...E............@...............H.......P..@...................................H...@............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...t1..........................@....rsrc........@......................@..@.reloc..JJ...P...L..................@..B................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):22490
                                                                                                    Entropy (8bit):3.484827950705229
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
                                                                                                    MD5:8586214463BD73E1C2716113E5BD3E13
                                                                                                    SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
                                                                                                    SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
                                                                                                    SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
                                                                                                    Malicious:false
                                                                                                    Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):25138
                                                                                                    Entropy (8bit):3.4392695737049057
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:XqCTxiKLkmEq0w/2yOK8deU2K4/WaChA2ZwxD9VErXWlMHtDaMJVLr5:XqClLkmT4z4uaCC2axbYXWSHZaMJxr5
                                                                                                    MD5:E1FA2AFAB71A41C7BA7701383F38343D
                                                                                                    SHA1:64E16E4DCA78790FA4D584BEDE2E77E735687597
                                                                                                    SHA-256:ADA071BC2382D0532E19DBBF69DAC595E4631F8BAB5871E13CE9C8BB81E20436
                                                                                                    SHA-512:E5F06931DA21FCE802FE9ED24F7B573E08839F7AB4FC69173ACB230239EABF75F6518AE56804672F2EA3C742BA4496EAD1A0D6DC048B013872DEC6677FD469B8
                                                                                                    Malicious:false
                                                                                                    Preview:..[.0.x.0.4.0.a.].....1.1.0.0.=.E.r.r.o.r. .d.e. .i.n.i.c.i.o. .d.e. .i.n.s.t.a.l.a.c.i...n.....1.1.0.1.=.%.s.....1.1.0.2.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .%.2.,. .q.u.e. .l.e. .g.u.i.a.r... .d.u.r.a.n.t.e. .e.l. .r.e.s.t.o. .d.e.l. .p.r.o.c.e.s.o. .d.e. .i.n.s.t.a.l.a.c.i...n... . .E.s.p.e.r.e. .p.o.r. .f.a.v.o.r.......1.1.0.3.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .%.s.....1.1.0.7.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .h.a. .t.e.r.m.i.n.a.d.o. .d.e. .c.o.n.f.i.g.u.r.a.r. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s. .e.n. .e.l. .s.i.s.t.e.m.a... .E.l. .s.i.s.t.e.m.a. .s.e. .d.e.b.e. .r.e.i.n.i.c.i.a.r. .p.a.r.a. .s.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (317), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26276
                                                                                                    Entropy (8bit):3.477275681438354
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:dadl9ggMLFghAYpI+JTz0bBQBWRGgG8fY8JfuqGWzjYN2D6UMYO1:dMXuGhAiUbBQcL68JfuqFjYN2DVa
                                                                                                    MD5:9EDFBC7234A778EFF06A16E8AD77A693
                                                                                                    SHA1:31EB6F889AF246F704EE477342478D7B825AC835
                                                                                                    SHA-256:93979696A6DAA7B0C51EB73EED5AFA1594A90615FD2D8BEEF08C659B1E596007
                                                                                                    SHA-512:B52082D5F77E55FD432074E591A98C7DB522DE71349955C3C5854064144F69BBA8F8DCC2CEEDA54A5DA978361D3A4423E0790DB55F87EEE88A15FF72F3B509DD
                                                                                                    Malicious:false
                                                                                                    Preview:..[.0.x.0.4.0.c.].....1.1.0.0.=.E.r.r.e.u.r. .l.o.r.s. .d.e. .l.'.i.n.i.t.i.a.l.i.s.a.t.i.o.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....1.1.0.1.=.%.s.....1.1.0.2.=.L.'.i.n.s.t.a.l.l.a.t.e.u.r. .%.1. .p.r...p.a.r.e. .%.2.,. .l.e.q.u.e.l. .v.o.u.s. .g.u.i.d.e.r.a. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.u. .l.o.g.i.c.i.e.l... .V.e.u.i.l.l.e.z. .p.a.t.i.e.n.t.e.r.......1.1.0.3.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .s.y.s.t...m.e. .d.'.e.x.p.l.o.i.t.a.t.i.o.n.....1.1.0.4.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.'.%.s.....1.1.0.7.=.L.'.i.n.s.t.a.l.l.a.t.i.o.n. .a. .t.e.r.m.i.n... .l.a. .c.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r... .P.o.u.r. .p.o.u.v.o.i.r. .p.o.u.r.s.u.i.v.r.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.,. .
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Blank Project Template, Author: Sage, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Feb 8 17:38:06 2022, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: Intel;0,1033,1036,1034, Last Saved By: Intel;1033, Revision Number: {9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{75C82E09-EB7C-4612-8FAD-E0B8438B7465}, Number of Pages: 405, Number of Characters: 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):28672
                                                                                                    Entropy (8bit):3.806858610117486
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:vy+ywR2G66T0scKLTTRyp1uDnWMeElfC9zljFYqy83JUfhdyEi7ZHeE2fa:vy02rkTS1cbwaq9BZHUa
                                                                                                    MD5:52CF12F6B1F34366D694B8B6A43BDA11
                                                                                                    SHA1:4FAD14CC4C1BDCD0037AAADAFD686298703B2E27
                                                                                                    SHA-256:4F67C097F6A81621B030670E37D181775273B1298FD4177AD11EEAD8CFBE19E1
                                                                                                    SHA-512:67845A684A0B8471BEB35BD6A41AC5979E69B15E5272685318A3089742885E32503F6E988BE06CD9AC67435342830DA7F72DBE09C0E83B5F12E8015FBA3A40A5
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2412
                                                                                                    Entropy (8bit):5.217629515334262
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:3gUIYKMntYrnErntbrnbrnqArnqfrnjernjdrnAlrnAmGkE+DBSkBTzoOYE7WtG:wrYKMn+rnErnRrnbrnqArnqfrnjernj+
                                                                                                    MD5:6FD9DB583E6B8E28049FC1C1B6A4ACB0
                                                                                                    SHA1:50ECE1A252D3EAA2E8B7264606221E04EC0B85BD
                                                                                                    SHA-256:5CEF6C564E81946D9C7D162A8B3A7D8B7FBB33607E1A7506BD3B0576CA8267A5
                                                                                                    SHA-512:D64AD81F8EABB2B4B498E49AF4A89F464E401C25A6D4C508105AD736A80E7C026C2E95B6A4E106453C45B4E3A2716C5B0F7B849B3A018B88AD6E3B016A21676D
                                                                                                    Malicious:false
                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<SetupPrereq>.. <conditions>.. <condition Type="2" Comparison="2" Path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" FileName="Release" ReturnValue="378389"></condition>.. </conditions>.. <operatingsystemconditions>.. <operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="1" ProductType="2|3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="0" PlatformId="2" CSDVersion="" Bits="4" ProductType="2|3"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="4"></operatingsystemcondition>.. <operatingsystemcondition MajorVersion="6" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1"></operatingsystemcondition>.. <operatingsys
                                                                                                    Process:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3287832
                                                                                                    Entropy (8bit):7.558121486719703
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:/qUkZ9kqv1TfyK/llllNlU+ZrGUTCiTyT4sF5zkYJPVEuRVAlvIlB+EUtg:nkZCqvVfpjF+tkYJdlVkUEO
                                                                                                    MD5:CDAA0B967941FFFE97B0D508E696B938
                                                                                                    SHA1:3338C896C9416DC683D94696F6861AB28B0BB26F
                                                                                                    SHA-256:E01AEC5472B010BDCF84D65BDBEFF90E0C551558899F638D36DACE4261AE1D36
                                                                                                    SHA-512:E84BE42292383F3EACCEB666D63D5E4F5BEF80E29CD8CEDED482BD536F15186ACDCBE069453FC359991584A09E753F412F51A7082E23B45BCF5DFED992ABFC25
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....h...h...h.....h.....h.......h.......h....k..h......Mh....n..h...h...i....Oh.....h...h@..h.....h..Rich.h..........................PE..L...@.yY.....................V......<.............@..................................W2.....................................l.......................@.2.................8...........................P...@............................................text...F........................... ..`.rdata..R...........................@..@.data...X........*..................@....rsrc................ ..............@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26
                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                    Malicious:false
                                                                                                    Preview:[ZoneTransfer]....ZoneId=0
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Sage, Security: 1, Number of Pages: 405, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Tue Feb 8 17:38:05 2022, Create Time/Date: Tue Feb 8 17:38:05 2022, Last Printed: Tue Feb 8 17:38:05 2022, Revision Number: {B567D723-533A-4254-ABAB-0B467014446B}, Code page: 0, Template: Intel;0,1033,1036,1034
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2143232
                                                                                                    Entropy (8bit):7.489754983454214
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:J36po9md6YyZJUptQ3TiHKYGR20dkvUVF+JPe6mKwndo:spo1YyZyD06QFW
                                                                                                    MD5:48434529CD823B4226D8D108EF7D9C3B
                                                                                                    SHA1:5533519B1567D06D1E894DA237F30B886FE197FB
                                                                                                    SHA-256:5D8FB50B83E1FB3BE414C177B41CFEF8870AF03958A18E4F683C75346D40E2E5
                                                                                                    SHA-512:9401CD6ADF3A2B7A4CE0A9E950503094F28054F7BC2E30D67AC720DFB15805CFB07C345EF4EFDC8BA156D05DE8E951C42F5375634FB8EE4EBE2B7E3BE4C0EC74
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...................!...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...............................................................................................#................... ...!...".......$...-...&...'...(...)...*...+...,...1......./...0...3...2...F...4...5...6...7...A...M...:...<.......=.......?...@...R...B...C...D...E...H...G..._...I...J...P...L...N.......O.......Q...Z...S...G...U...V...W...X...Y...E...[...\...]...^...a...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20
                                                                                                    Entropy (8bit):2.8954618442383215
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Q+5lkrJ4l49:Q+s2l49
                                                                                                    MD5:DB9AF7503F195DF96593AC42D5519075
                                                                                                    SHA1:1B487531BAD10F77750B8A50ACA48593379E5F56
                                                                                                    SHA-256:0A33C5DFFABCF31A1F6802026E9E2EEF4B285E57FD79D52FDCD98D6502D14B13
                                                                                                    SHA-512:6839264E14576FE190260A4B82AFC11C88E50593A20113483851BF4ABFDB7CCA9986BEF83F4C6B8F98EF4D426F07024CF869E8AB393DF6D2B743B9B8E2544E1B
                                                                                                    Malicious:false
                                                                                                    Preview:..[.F.i.l.e.s.].....
                                                                                                    Process:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5660
                                                                                                    Entropy (8bit):3.7301853416925272
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:rEhkMaEuK6Ob7EHQfzONNXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOS:YhcFOb7EHVcuQaEZhdxoIWRGcQbPr/pc
                                                                                                    MD5:301F6EB54567652EA4BDD7A77F6C0002
                                                                                                    SHA1:0EFC8D894788538194A775DF7A4172DCC86D262A
                                                                                                    SHA-256:E59DFD5B3E3A22D7E582F6325E669D2D2F85F43DB02271DE1E63FF30D5B0182E
                                                                                                    SHA-512:EDAE586E7A91E6B422B1D4AF44CBE9E44A30A447CAF42FB729CF7B0F1E08F4D60F6C5B6C609006E0ACFBB5A46184216FDEA0139FEA59356495547B340DBF562C
                                                                                                    Malicious:false
                                                                                                    Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.1.....P.r.o.d.u.c.t.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s.....P.a.c.k.a.g.e.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.9.F.9.0.4.2.1.B.-.0.5.F.E.-.4.A.8.9.-.8.0.2.E.-.B.4.C.7.0.9.9.5.3.3.5.E.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.2...0...1.0.0...2.5.....U.p.g.r.a.d.e.C.o.d.e.=.{.7.5.C.8.2.E.0.9.-.E.B.7.C.-.4.6.1.2.-.8.F.A.D.-.E.0.B.8.4.3.8.B.7.4.6.5.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.a.g.e...E.b...e.I.D.S.i.g.n...W.i.n.d.o.w.s...I.n.s.t.
                                                                                                    Process:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):134
                                                                                                    Entropy (8bit):4.734803801360367
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:DydRnAe+WA6nWZm9Wv4WMRvKXNMG28tjrmlf:wRnAe+WfWE9WwRvKXNW+vCf
                                                                                                    MD5:03C185516B2E371484856D49FFC1A009
                                                                                                    SHA1:19DDD84637444975A5E323129A47EA372552B8D7
                                                                                                    SHA-256:548970F2B80469223DC05EB231278A2B8EAF351A758685EE8BFBB5CECB97BA13
                                                                                                    SHA-512:D8DA21D549A2DCD14C862704ECFD6E64B2DCED303A8D3E89E7272AEAC7CC94ED496F3E74C14BC7069B2272C6431A2E3B321CF08127A44EAE724FAA10BA6CD799
                                                                                                    Malicious:true
                                                                                                    Preview:user_pref("security.enterprise_roots.enabled", "true");..user_pref("network.automatic-ntlm-auth.trusted-uris", "https://127.0.0.1");..
                                                                                                    Process:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):134
                                                                                                    Entropy (8bit):4.734803801360367
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:DydRnAe+WA6nWZm9Wv4WMRvKXNMG28tjrmlf:wRnAe+WfWE9WwRvKXNW+vCf
                                                                                                    MD5:03C185516B2E371484856D49FFC1A009
                                                                                                    SHA1:19DDD84637444975A5E323129A47EA372552B8D7
                                                                                                    SHA-256:548970F2B80469223DC05EB231278A2B8EAF351A758685EE8BFBB5CECB97BA13
                                                                                                    SHA-512:D8DA21D549A2DCD14C862704ECFD6E64B2DCED303A8D3E89E7272AEAC7CC94ED496F3E74C14BC7069B2272C6431A2E3B321CF08127A44EAE724FAA10BA6CD799
                                                                                                    Malicious:true
                                                                                                    Preview:user_pref("security.enterprise_roots.enabled", "true");..user_pref("network.automatic-ntlm-auth.trusted-uris", "https://127.0.0.1");..
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Sage, Security: 1, Number of Pages: 405, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Tue Feb 8 17:38:05 2022, Create Time/Date: Tue Feb 8 17:38:05 2022, Last Printed: Tue Feb 8 17:38:05 2022, Revision Number: {B567D723-533A-4254-ABAB-0B467014446B}, Code page: 0, Template: Intel;0,1033,1036,1034
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2143232
                                                                                                    Entropy (8bit):7.489754983454214
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:J36po9md6YyZJUptQ3TiHKYGR20dkvUVF+JPe6mKwndo:spo1YyZyD06QFW
                                                                                                    MD5:48434529CD823B4226D8D108EF7D9C3B
                                                                                                    SHA1:5533519B1567D06D1E894DA237F30B886FE197FB
                                                                                                    SHA-256:5D8FB50B83E1FB3BE414C177B41CFEF8870AF03958A18E4F683C75346D40E2E5
                                                                                                    SHA-512:9401CD6ADF3A2B7A4CE0A9E950503094F28054F7BC2E30D67AC720DFB15805CFB07C345EF4EFDC8BA156D05DE8E951C42F5375634FB8EE4EBE2B7E3BE4C0EC74
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...................!...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...............................................................................................#................... ...!...".......$...-...&...'...(...)...*...+...,...1......./...0...3...2...F...4...5...6...7...A...M...:...<.......=.......?...@...R...B...C...D...E...H...G..._...I...J...P...L...N.......O.......Q...Z...S...G...U...V...W...X...Y...E...[...\...]...^...a...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Blank Project Template, Author: Sage, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Feb 8 17:38:06 2022, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: Intel;0,1033,1036,1034, Last Saved By: Intel;1033, Revision Number: {9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{75C82E09-EB7C-4612-8FAD-E0B8438B7465}, Number of Pages: 405, Number of Characters: 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):28672
                                                                                                    Entropy (8bit):3.806858610117486
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:vy+ywR2G66T0scKLTTRyp1uDnWMeElfC9zljFYqy83JUfhdyEi7ZHeE2fa:vy02rkTS1cbwaq9BZHUa
                                                                                                    MD5:52CF12F6B1F34366D694B8B6A43BDA11
                                                                                                    SHA1:4FAD14CC4C1BDCD0037AAADAFD686298703B2E27
                                                                                                    SHA-256:4F67C097F6A81621B030670E37D181775273B1298FD4177AD11EEAD8CFBE19E1
                                                                                                    SHA-512:67845A684A0B8471BEB35BD6A41AC5979E69B15E5272685318A3089742885E32503F6E988BE06CD9AC67435342830DA7F72DBE09C0E83B5F12E8015FBA3A40A5
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Sage, Security: 1, Number of Pages: 405, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Tue Feb 8 17:38:05 2022, Create Time/Date: Tue Feb 8 17:38:05 2022, Last Printed: Tue Feb 8 17:38:05 2022, Revision Number: {B567D723-533A-4254-ABAB-0B467014446B}, Code page: 0, Template: Intel;0,1033,1036,1034
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2143232
                                                                                                    Entropy (8bit):7.489754983454214
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:J36po9md6YyZJUptQ3TiHKYGR20dkvUVF+JPe6mKwndo:spo1YyZyD06QFW
                                                                                                    MD5:48434529CD823B4226D8D108EF7D9C3B
                                                                                                    SHA1:5533519B1567D06D1E894DA237F30B886FE197FB
                                                                                                    SHA-256:5D8FB50B83E1FB3BE414C177B41CFEF8870AF03958A18E4F683C75346D40E2E5
                                                                                                    SHA-512:9401CD6ADF3A2B7A4CE0A9E950503094F28054F7BC2E30D67AC720DFB15805CFB07C345EF4EFDC8BA156D05DE8E951C42F5375634FB8EE4EBE2B7E3BE4C0EC74
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...................!...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................;...............................................................................................#................... ...!...".......$...-...&...'...(...)...*...+...,...1......./...0...3...2...F...4...5...6...7...A...M...:...<.......=.......?...@...R...B...C...D...E...H...G..._...I...J...P...L...N.......O.......Q...Z...S...G...U...V...W...X...Y...E...[...\...]...^...a...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):505
                                                                                                    Entropy (8bit):5.216044190319583
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:EgUBgaN8MuIu849ijXj//j/urfNEhx0X4:cBg+49ijjzp3u4
                                                                                                    MD5:EA2D01849536326F6BA5C94C762AA26F
                                                                                                    SHA1:19FECD1B13075C9CE8F2F09CD9C9313C4EF114BA
                                                                                                    SHA-256:6C684FDFF7650422651B88142A41C44848ACAC1ADABF848F498CED0E3AACEA58
                                                                                                    SHA-512:4D6F9264330AAA70E6A9A87B7B00D5425874FC8E06A81DF7F1EC060521C60ABB82225224FC64C84EB50B9950D6F54C3E54C43A261BA72FFC49C0FF4BCECB5A67
                                                                                                    Malicious:false
                                                                                                    Preview:...@IXOS.@.....@m%uY.@.....@.....@.....@.....@.....@......&.{9F90421B-05FE-4A89-802E-B4C70995335E}..Sage.Eb.eIDSign.Windows..Sage.Eb.eIDSign.Windows.msi.@.....@d....@.....@......ARPPRODUCTICON.exe..&.{B567D723-533A-4254-ABAB-0B467014446B}.....@.....@.....@.....@.......@.....@.....@.......@......Sage.Eb.eIDSign.Windows......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallFinalize........C:\Windows\Installer\46f827.mst...@.....@.....@....
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                    Category:modified
                                                                                                    Size (bytes):177664
                                                                                                    Entropy (8bit):6.447510800981917
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:+nBogny/ccewDuHWdR7oLlqsX4N1jrQawDg2aHBMJKjrb/TTf4eI:+nBogny/ccewSqz/rb/Ti
                                                                                                    MD5:4967093B32BDDABA9193360A1EF3F649
                                                                                                    SHA1:45FB0397FAA6A7D26AF1F212697AB0F955F3F8FC
                                                                                                    SHA-256:27A835C4F4C7B44482F991FE82B7163D32FDB4A4B01C9FCF31724789F5017309
                                                                                                    SHA-512:6BACD7E79D15727D4DBC0CBC42879BF57803ED4C7AD691EA02755F06455FB3F4663703628DDBFD396BD17857559912D26752D0455A0A0A233841A2F2BE05682C
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.<.F|o.F|o.F|o...o.F|o.>.o.F|o...o.F|o.F}o/F|o...o.F|o...o.F|o...o.F|o...o.F|o...o.F|o...o.F|oRich.F|o................PE..L....;PT.................`...R.......>.......p....@.................................[.....@...... ..........................t....................................!..|n..8............................V..\...............p....m..@....................text....^.......`.................. ..`.data...%....p.......d..............@....idata..x............l..............@..@.didat..............................@....rsrc...............................@..@.reloc...!......."..................@..B........................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):143234
                                                                                                    Entropy (8bit):4.796480902184677
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:H1U81cYVAJgFPr1U81cYVAJgF0t4cgFrAC:Vjc8ooZjc8oo64corAC
                                                                                                    MD5:CA712ACD71A0751B91136D7CCA490C7E
                                                                                                    SHA1:9BCDBDA3BAF836C8DB3CD08EB19EF4E0028A5B7E
                                                                                                    SHA-256:38841822B2F74D06144DD8F9B5CA9A41127776200529E55C13C3F766D4C42697
                                                                                                    SHA-512:0EDBF907765806CBD66B2C960617CD091A76B366A96003B85D6F63F9BB0B2C1566689B71536C14F123362638C52E8B92E3765E67481A077AACC7901B3C70ED54
                                                                                                    Malicious:false
                                                                                                    Preview:...@IXOS.@.....@l%uY.@.....@.....@.....@.....@.....@......&.{9F90421B-05FE-4A89-802E-B4C70995335E}..Sage.Eb.eIDSign.Windows..Sage.Eb.eIDSign.Windows.msi.@.....@d....@.....@......ARPPRODUCTICON.exe..&.{B567D723-533A-4254-ABAB-0B467014446B}.....@.....@.....@.....@.......@.....@.....@.......@......Sage.Eb.eIDSign.Windows......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{15E91DFE-7F0C-4482-8E5C-0A34C86440A4}Q.C:\Program Files (x86)\Sage\eIDSign\Microsoft.Diagnostics.Tracing.EventSource.dll.@.......@.....@.....@......&.{0FFA3691-D8F4-42B3-A394-695571A730CB}].C:\Program Files (x86)\Sage\eIDSign\Microsoft.Practices.EnterpriseLibrary.SemanticLogging.dll.@.......@.....@.....@......&.{3822BA65-FD66-444D-AC60-006E2115D8E6}7.C:\Program Files (x86)\Sage\eIDSign\Newtonsoft.Json.dll.@.......@.....@.....@......&.{36800176-08C9-4EC3-A7D5-DC0F3049CE59};.C:\Program Files
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.1709980501316886
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:JSbX72FjkoAGiLIlHVRp2h/7777777777777777777777777vDHF9gspu9Nl0i8Q:JrQI5OAsFF
                                                                                                    MD5:9C691E59080077FB1BF437920A487918
                                                                                                    SHA1:7AE34860A49BA9651C6202D6F77C37074019D942
                                                                                                    SHA-256:24F6C9B54C8AE2C217755F2A8F1EE13606E71D1ECC87A2C37E4E3887507A7B23
                                                                                                    SHA-512:61AF7EF00E18F12ABD4E08CD4EAEA3AF47DA6AFE0081F38C4C1223AB04DAD310D555F11579F6FB0D3D507DFCDEE30C5A0F20C5D02D016110EABB42A5E17DCCED
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.8246422621296476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:f8PhVuRc06WXzQFT5kvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:ehV1lFT3KeqqZqb
                                                                                                    MD5:1602471FE976ACA0DA12928460AF2C02
                                                                                                    SHA1:976E42915ADFD58AA89DC0A1A6C7D3CDB3549CAF
                                                                                                    SHA-256:03E732A1C3B8EC54528F8F07CB6C82F44F861D847F2FEE8D0D89055086A5EF9D
                                                                                                    SHA-512:C1BB2183802175EA7D256BECF50BE2CACC89B47DA7CC63E91D1876608E7118FA602D64FFC1E7DCA33B4CF73A05B9AC4A051A62AD9E76F7102F560F107332DFBD
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Blank Project Template, Author: Sage, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Feb 8 17:38:06 2022, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: Intel;0,1033,1036,1034, Last Saved By: Intel;1033, Revision Number: {9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{9F90421B-05FE-4A89-802E-B4C70995335E}2.0.100.25;{75C82E09-EB7C-4612-8FAD-E0B8438B7465}, Number of Pages: 405, Number of Characters: 1
                                                                                                    Category:dropped
                                                                                                    Size (bytes):28672
                                                                                                    Entropy (8bit):3.806858610117486
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:vy+ywR2G66T0scKLTTRyp1uDnWMeElfC9zljFYqy83JUfhdyEi7ZHeE2fa:vy02rkTS1cbwaq9BZHUa
                                                                                                    MD5:52CF12F6B1F34366D694B8B6A43BDA11
                                                                                                    SHA1:4FAD14CC4C1BDCD0037AAADAFD686298703B2E27
                                                                                                    SHA-256:4F67C097F6A81621B030670E37D181775273B1298FD4177AD11EEAD8CFBE19E1
                                                                                                    SHA-512:67845A684A0B8471BEB35BD6A41AC5979E69B15E5272685318A3089742885E32503F6E988BE06CD9AC67435342830DA7F72DBE09C0E83B5F12E8015FBA3A40A5
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):53152
                                                                                                    Entropy (8bit):4.6954676388219045
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:MvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZ8Nzk4AJgFPJ2hS:qMAyYdTmPJbgqcnDcSNVAJgFPYh
                                                                                                    MD5:38A7FE346D8963B609D61844DA99295C
                                                                                                    SHA1:87ED520A1A496F1D42908D96E59B64E654A9F948
                                                                                                    SHA-256:21640AC5C5949ECFEA2C0AE650FE83299C152BFF13094D8D16483FFB8E464BE8
                                                                                                    SHA-512:5DDFF999A30AAA17B9DFDB57BFE29E87D1D3350AA2558BD4F27A1D404BA8C5172F2D3F9455F558E75F0C6C6D77B564C43947ECE6F950D9E0643D2699B956EB3F
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...q.yY.................@...`...............P....@..................................+......................................4T..(....................................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):53152
                                                                                                    Entropy (8bit):4.695138409120245
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:ovFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZ8Nzk4AJgFVLhq:2MAyYdTmPJbgqcnDcSNVAJgFphq
                                                                                                    MD5:ABCBE41DD6F79DA8CA201662909BE447
                                                                                                    SHA1:8AC18E4B1B44F68A796D99E71BDC21024124F94F
                                                                                                    SHA-256:05CA09F9961A09FF1FDD750E2FCA3444C41DE49660F1CF14F7506071AF04186D
                                                                                                    SHA-512:BF251C1F82C458D6EE5773C77600FD0E62B408A3C55F6BF4956A5B139B55FB3C246005E46A8607F24FAD3E341875E09F13C375D08535BAB53390F5A25AC5E433
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...q.yY.................@...`...............P....@.........................................................................4T..(....................................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):454234
                                                                                                    Entropy (8bit):5.356168007632559
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau4:zTtbmkExhMJCIpEG90D5JG81IIgMt
                                                                                                    MD5:9524C40CAA285682E5697ABE366B8B56
                                                                                                    SHA1:FED0D36396C3ECC573309E69CFA55347E2FFA945
                                                                                                    SHA-256:1AD4ACFB18B2909A8B47379AE0E5994B167887DB82F250C3DA33D3E2BF83E45F
                                                                                                    SHA-512:D7287608DC68072F7DBD8EA3280C2D2EC12D689317852F12684AC9702A75C2BB94768429220301440E03A65C319FC6C868DA456EC31E48EC4CCE26487109C088
                                                                                                    Malicious:false
                                                                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):4926
                                                                                                    Entropy (8bit):3.2489343392020165
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF7j+AAHdKoqKFxcxkFj:cEOB+AAsoJjykePEj+AAsoJjyk5
                                                                                                    MD5:8D1EE7875E363E6E21CA47B945B8CD16
                                                                                                    SHA1:92B5291224A1261D54C70B9FD5C58DD4AFEC6A0F
                                                                                                    SHA-256:33B7392AD5DB877077514D571E76D55CD0EFC213EF5B783D37A03DD5C3A12267
                                                                                                    SHA-512:1BCA65E2F6B169860691939271E4EFEDB35E60D1249178152855997E2E48A86797F8B1D7B721719147F7F8B70FCC7B8514F480C23D18689472B22CFF145EE59F
                                                                                                    Malicious:false
                                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.07698827311769528
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOJuaxgspALLPh1qVky6l9X:2F0i8n0itFzDHF9gspu9N
                                                                                                    MD5:2D9E994553528C0B212A3319921E900F
                                                                                                    SHA1:78C677A1A0F77F902E611FDAE416A747953ACB16
                                                                                                    SHA-256:DD2C917B1708F4C706556140696E88F09FDA2CBD3BF0CB1F8D85B1A4880BA5AD
                                                                                                    SHA-512:51CA5E82D3523CF71107E500BC60161DD5580F6FD3B7E80B56B4FBDDE8E1788E2E8DB9858035416B512E72FEC3768BAEE0B8849599CEE73EF4973308BDDBB1F6
                                                                                                    Malicious:false
                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.4411139961371207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:20tuTRs4aFXzVT5lMGvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:LtdbTLSKeqqZqb
                                                                                                    MD5:8312E97E6F984591778D6166B4D6FF03
                                                                                                    SHA1:D5E9D515B6DCACE4C3E9049BB95740458A5B9EFF
                                                                                                    SHA-256:409BEE33237D28D055603654803AD02986722ABD3536074EE6F7D65F8BC5460C
                                                                                                    SHA-512:9DEA80C3E0CC017CB77220EDEFC9B0CAEA4D81FCB8BA7C503D7E5EC5A1C1C441119B134BA4B3048B0C81D2C5BF3BAEED65E6B3FA02A278A2D43899A97556C183
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.4411139961371207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:20tuTRs4aFXzVT5lMGvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:LtdbTLSKeqqZqb
                                                                                                    MD5:8312E97E6F984591778D6166B4D6FF03
                                                                                                    SHA1:D5E9D515B6DCACE4C3E9049BB95740458A5B9EFF
                                                                                                    SHA-256:409BEE33237D28D055603654803AD02986722ABD3536074EE6F7D65F8BC5460C
                                                                                                    SHA-512:9DEA80C3E0CC017CB77220EDEFC9B0CAEA4D81FCB8BA7C503D7E5EC5A1C1C441119B134BA4B3048B0C81D2C5BF3BAEED65E6B3FA02A278A2D43899A97556C183
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.8246422621296476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:f8PhVuRc06WXzQFT5kvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:ehV1lFT3KeqqZqb
                                                                                                    MD5:1602471FE976ACA0DA12928460AF2C02
                                                                                                    SHA1:976E42915ADFD58AA89DC0A1A6C7D3CDB3549CAF
                                                                                                    SHA-256:03E732A1C3B8EC54528F8F07CB6C82F44F861D847F2FEE8D0D89055086A5EF9D
                                                                                                    SHA-512:C1BB2183802175EA7D256BECF50BE2CACC89B47DA7CC63E91D1876608E7118FA602D64FFC1E7DCA33B4CF73A05B9AC4A051A62AD9E76F7102F560F107332DFBD
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.4411139961371207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:20tuTRs4aFXzVT5lMGvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:LtdbTLSKeqqZqb
                                                                                                    MD5:8312E97E6F984591778D6166B4D6FF03
                                                                                                    SHA1:D5E9D515B6DCACE4C3E9049BB95740458A5B9EFF
                                                                                                    SHA-256:409BEE33237D28D055603654803AD02986722ABD3536074EE6F7D65F8BC5460C
                                                                                                    SHA-512:9DEA80C3E0CC017CB77220EDEFC9B0CAEA4D81FCB8BA7C503D7E5EC5A1C1C441119B134BA4B3048B0C81D2C5BF3BAEED65E6B3FA02A278A2D43899A97556C183
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.4411139961371207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:20tuTRs4aFXzVT5lMGvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:LtdbTLSKeqqZqb
                                                                                                    MD5:8312E97E6F984591778D6166B4D6FF03
                                                                                                    SHA1:D5E9D515B6DCACE4C3E9049BB95740458A5B9EFF
                                                                                                    SHA-256:409BEE33237D28D055603654803AD02986722ABD3536074EE6F7D65F8BC5460C
                                                                                                    SHA-512:9DEA80C3E0CC017CB77220EDEFC9B0CAEA4D81FCB8BA7C503D7E5EC5A1C1C441119B134BA4B3048B0C81D2C5BF3BAEED65E6B3FA02A278A2D43899A97556C183
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.8246422621296476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:f8PhVuRc06WXzQFT5kvVeL7+vlS8qOdxT0dxCXdx3I6AdxqgvMSB4vzqOdxT0dxc:ehV1lFT3KeqqZqb
                                                                                                    MD5:1602471FE976ACA0DA12928460AF2C02
                                                                                                    SHA1:976E42915ADFD58AA89DC0A1A6C7D3CDB3549CAF
                                                                                                    SHA-256:03E732A1C3B8EC54528F8F07CB6C82F44F861D847F2FEE8D0D89055086A5EF9D
                                                                                                    SHA-512:C1BB2183802175EA7D256BECF50BE2CACC89B47DA7CC63E91D1876608E7118FA602D64FFC1E7DCA33B4CF73A05B9AC4A051A62AD9E76F7102F560F107332DFBD
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):73728
                                                                                                    Entropy (8bit):0.23409041765003016
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:obJIeLJxCSB4vzqOdxT0dxCXdxHvlS8qOdxT0dxCXdx3I6AdxqgvWyvVeL:obPCqyes
                                                                                                    MD5:BFD7E90D9AD5CE0EB6F68CDE52839078
                                                                                                    SHA1:9E71A094A3B6A6F730BEC521B38A0A1A6C2641DE
                                                                                                    SHA-256:894B0554D7DD108F0D2D7D9EDB8ABA23FAD375F1AC6CF99271AAFFADE2347AE5
                                                                                                    SHA-512:B15944FDF9E173497F14C4A28C11DE2EDD517E06894B6125352E34BAD2F0F9EF2AA086EE2052FD0F2CFE23D2FCF8816D85CF9BF005A2CE700A1810B61A41831E
                                                                                                    Malicious:false
                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.558121486719703
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    File size:3'287'832 bytes
                                                                                                    MD5:cdaa0b967941fffe97b0d508e696b938
                                                                                                    SHA1:3338c896c9416dc683d94696f6861ab28b0bb26f
                                                                                                    SHA256:e01aec5472b010bdcf84d65bdbeff90e0c551558899f638d36dace4261ae1d36
                                                                                                    SHA512:e84be42292383f3eacceb666d63d5e4f5bef80e29cd8ceded482bd536f15186acdcbe069453fc359991584a09e753f412f51a7082e23b45bcf5dfed992abfc25
                                                                                                    SSDEEP:49152:/qUkZ9kqv1TfyK/llllNlU+ZrGUTCiTyT4sF5zkYJPVEuRVAlvIlB+EUtg:nkZCqvVfpjF+tkYJdlVkUEO
                                                                                                    TLSH:83E5C0137A41903EE66182314C6FAE6446A87D735B3241DBB298FE1D2EF05C2B637E47
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....h...h...h.......h.......h.......h.......h....k..h......Mh....n..h...h...i......Oh.......h...h@..h.......h..Rich.h.........
                                                                                                    Icon Hash:71ace52b2935381a
                                                                                                    Entrypoint:0x46de3c
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:true
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x5979EF40 [Thu Jul 27 13:48:48 2017 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:5
                                                                                                    OS Version Minor:1
                                                                                                    File Version Major:5
                                                                                                    File Version Minor:1
                                                                                                    Subsystem Version Major:5
                                                                                                    Subsystem Version Minor:1
                                                                                                    Import Hash:664e6fa758bf83e8ac3bbf7d0e102330
                                                                                                    Signature Valid:true
                                                                                                    Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
                                                                                                    Signature Validation Error:The operation completed successfully
                                                                                                    Error Number:0
                                                                                                    Not Before, Not After
                                                                                                    • 14/06/2020 20:00:00 15/06/2023 19:59:59
                                                                                                    Subject Chain
                                                                                                    • CN=SAGE SASU, OU=Sage MME-EB-BUILD, O=SAGE SASU, L=La Garenne Colombes, S=Hauts-de-Seine, C=FR
                                                                                                    Version:3
                                                                                                    Thumbprint MD5:FB207B8048D86EEAB42158BBF60FF4F3
                                                                                                    Thumbprint SHA-1:032B87C639A06F6DD672745D771B866E5CEBAE6E
                                                                                                    Thumbprint SHA-256:6CD43C7268E49160D94AEC845DE84681A588F508F2663BED1889C04FD13EEE19
                                                                                                    Serial:5629E6C0745165D283044BCC8F548E08
                                                                                                    Instruction
                                                                                                    call 00007FE4DCEFCD76h
                                                                                                    jmp 00007FE4DCEEDFBEh
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    mov eax, dword ptr [ebp+14h]
                                                                                                    push esi
                                                                                                    test eax, eax
                                                                                                    je 00007FE4DCEEE1BEh
                                                                                                    cmp dword ptr [ebp+08h], 00000000h
                                                                                                    jne 00007FE4DCEEE195h
                                                                                                    call 00007FE4DCEEC836h
                                                                                                    push 00000016h
                                                                                                    pop esi
                                                                                                    mov dword ptr [eax], esi
                                                                                                    call 00007FE4DCEF0E1Eh
                                                                                                    mov eax, esi
                                                                                                    jmp 00007FE4DCEEE1A7h
                                                                                                    cmp dword ptr [ebp+10h], 00000000h
                                                                                                    je 00007FE4DCEEE169h
                                                                                                    cmp dword ptr [ebp+0Ch], eax
                                                                                                    jnc 00007FE4DCEEE18Bh
                                                                                                    call 00007FE4DCEEC818h
                                                                                                    push 00000022h
                                                                                                    jmp 00007FE4DCEEE162h
                                                                                                    push eax
                                                                                                    push dword ptr [ebp+10h]
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007FE4DCEE9F3Bh
                                                                                                    add esp, 0Ch
                                                                                                    xor eax, eax
                                                                                                    pop esi
                                                                                                    pop ebp
                                                                                                    ret
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    xor edx, edx
                                                                                                    mov eax, edx
                                                                                                    cmp dword ptr [ebp+0Ch], eax
                                                                                                    jbe 00007FE4DCEEE193h
                                                                                                    mov ecx, dword ptr [ebp+08h]
                                                                                                    cmp word ptr [ecx], dx
                                                                                                    je 00007FE4DCEEE18Bh
                                                                                                    inc eax
                                                                                                    add ecx, 02h
                                                                                                    cmp eax, dword ptr [ebp+0Ch]
                                                                                                    jc 00007FE4DCEEE174h
                                                                                                    pop ebp
                                                                                                    ret
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    and dword ptr [00538130h], 00000000h
                                                                                                    sub esp, 10h
                                                                                                    push ebx
                                                                                                    xor ebx, ebx
                                                                                                    inc ebx
                                                                                                    or dword ptr [00531BB0h], ebx
                                                                                                    push 0000000Ah
                                                                                                    call 00007FE4DCF4DC24h
                                                                                                    test eax, eax
                                                                                                    je 00007FE4DCEEE294h
                                                                                                    xor ecx, ecx
                                                                                                    mov eax, ebx
                                                                                                    mov dword ptr [00538130h], ebx
                                                                                                    cpuid
                                                                                                    push esi
                                                                                                    mov esi, dword ptr [00531BB0h]
                                                                                                    push edi
                                                                                                    lea edi, dword ptr [ebp-10h]
                                                                                                    or esi, 02h
                                                                                                    mov dword ptr [edi], eax
                                                                                                    mov dword ptr [edi+04h], ebx
                                                                                                    mov dword ptr [edi+08h], ecx
                                                                                                    mov dword ptr [edi+0Ch], edx
                                                                                                    test dword ptr [ebp-08h], 00100000h
                                                                                                    Programming Language:
                                                                                                    • [ C ] VS2012 UPD1 build 51106
                                                                                                    • [C++] VS2012 UPD1 build 51106
                                                                                                    • [RES] VS2012 UPD1 build 51106
                                                                                                    • [LNK] VS2012 UPD1 build 51106
                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x12e26c0xdc.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x13b0000x513bc.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x320b400x1fd8
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xef7a00x38.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10b3500x40.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xef0000x6a8.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x12d8900xe0.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000xed8460xeda008b2d862665d5c76894cc2f6712a1e1c2False0.47022126512361917data6.548674518262654IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0xef0000x416520x41800140a3af0d6d3b561d053802755fe51e5False0.39431879174618323data4.9472143970500255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x1310000x90580x2a007ebd908990ff5d83dd3e75de1630dbe1False0.29482886904761907data4.517231485647332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x13b0000x513bc0x51400b9ec814e37fad47517db4b7122531f4dFalse0.3927614182692308data6.616164813728863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    GIF0x13beec0x474aGIF image data, version 89a, 350 x 6240.9899178082191781
                                                                                                    GIF0x1406380x339fGIF image data, version 89a, 350 x 624EnglishUnited States0.9129020052970109
                                                                                                    PNG0x1439d80x39edPNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced0.9975723244992919
                                                                                                    PNG0x1473c80x2fc9PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced0.9968119022316685
                                                                                                    RT_BITMAP0x14a3940x14220Device independent bitmap graphic, 220 x 370 x 8, image size 814000.34390764454792394
                                                                                                    RT_BITMAP0x15e5b40x1b5cDevice independent bitmap graphic, 180 x 75 x 4, image size 69000.18046830382638493
                                                                                                    RT_BITMAP0x1601100x38e4Device independent bitmap graphic, 180 x 75 x 8, image size 135000.26689096402087337
                                                                                                    RT_BITMAP0x1639f40x1238Device independent bitmap graphic, 60 x 60 x 8, image size 36000.23499142367066894
                                                                                                    RT_BITMAP0x164c2c0x6588Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors0.3035934133579563
                                                                                                    RT_BITMAP0x16b1b40x11f88Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m0.12790729268557766
                                                                                                    RT_ICON0x17d13c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.2528142589118199
                                                                                                    RT_ICON0x17e1e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.34139784946236557
                                                                                                    RT_ICON0x17e4cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.5202702702702703
                                                                                                    RT_ICON0x17e5f40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.47334754797441364
                                                                                                    RT_ICON0x17f49c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6101083032490975
                                                                                                    RT_ICON0x17fd440x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.596820809248555
                                                                                                    RT_ICON0x1802ac0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2932572614107884
                                                                                                    RT_ICON0x1828540x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4343339587242026
                                                                                                    RT_ICON0x1838fc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7198581560283688
                                                                                                    RT_ICON0x183d640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.35618279569892475
                                                                                                    RT_ICON0x18404c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.42473118279569894
                                                                                                    RT_DIALOG0x1843340x1cedata0.48917748917748916
                                                                                                    RT_DIALOG0x1845040x266data0.4527687296416938
                                                                                                    RT_DIALOG0x18476c0x2b0data0.438953488372093
                                                                                                    RT_DIALOG0x184a1c0x54data0.6904761904761905
                                                                                                    RT_DIALOG0x184a700x34data0.8846153846153846
                                                                                                    RT_DIALOG0x184aa40xd6data0.6495327102803738
                                                                                                    RT_DIALOG0x184b7c0x114data0.5036231884057971
                                                                                                    RT_DIALOG0x184c900xd6data0.5841121495327103
                                                                                                    RT_DIALOG0x184d680x246data0.4690721649484536
                                                                                                    RT_DIALOG0x184fb00x3c8data0.4194214876033058
                                                                                                    RT_DIALOG0x1853780x14edata0.5359281437125748
                                                                                                    RT_DIALOG0x1854c80x1e8data0.49385245901639346
                                                                                                    RT_DIALOG0x1856b00x1c6data0.5286343612334802
                                                                                                    RT_DIALOG0x1858780x1eedata0.49190283400809715
                                                                                                    RT_DIALOG0x185a680x7cdata0.7580645161290323
                                                                                                    RT_DIALOG0x185ae40x3bcdata0.4372384937238494
                                                                                                    RT_DIALOG0x185ea00x158data0.5581395348837209
                                                                                                    RT_DIALOG0x185ff80x1dadata0.5168776371308017
                                                                                                    RT_DIALOG0x1861d40x10adata0.6015037593984962
                                                                                                    RT_DIALOG0x1862e00xdedata0.6441441441441441
                                                                                                    RT_DIALOG0x1863c00x1d4data0.5085470085470085
                                                                                                    RT_DIALOG0x1865940x1dcdata0.5210084033613446
                                                                                                    RT_DIALOG0x1867700x294data0.48787878787878786
                                                                                                    RT_STRING0x186a040x160dataEnglishUnited States0.5340909090909091
                                                                                                    RT_STRING0x186b640x23edataEnglishUnited States0.40418118466898956
                                                                                                    RT_STRING0x186da40x378dataEnglishUnited States0.4222972972972973
                                                                                                    RT_STRING0x18711c0x252dataEnglishUnited States0.4393939393939394
                                                                                                    RT_STRING0x1873700x1f4dataEnglishUnited States0.442
                                                                                                    RT_STRING0x1875640x66adataEnglishUnited States0.3617539585870889
                                                                                                    RT_STRING0x187bd00x366dataEnglishUnited States0.41379310344827586
                                                                                                    RT_STRING0x187f380x27edataEnglishUnited States0.4561128526645768
                                                                                                    RT_STRING0x1881b80x518dataEnglishUnited States0.39800613496932513
                                                                                                    RT_STRING0x1886d00x882dataEnglishUnited States0.3002754820936639
                                                                                                    RT_STRING0x188f540x23edataEnglishUnited States0.45121951219512196
                                                                                                    RT_STRING0x1891940x3badataEnglishUnited States0.3280922431865828
                                                                                                    RT_STRING0x1895500x12cdataEnglishUnited States0.5266666666666666
                                                                                                    RT_STRING0x18967c0x4adataEnglishUnited States0.6756756756756757
                                                                                                    RT_STRING0x1896c80xdadataEnglishUnited States0.6100917431192661
                                                                                                    RT_STRING0x1897a40x110dataEnglishUnited States0.5845588235294118
                                                                                                    RT_STRING0x1898b40x20adataEnglishUnited States0.4521072796934866
                                                                                                    RT_STRING0x189ac00xbaMatlab v4 mat-file (little endian) P, numeric, rows 0, columns 0EnglishUnited States0.5860215053763441
                                                                                                    RT_STRING0x189b7c0xa8dataEnglishUnited States0.6607142857142857
                                                                                                    RT_STRING0x189c240x12adataEnglishUnited States0.5201342281879194
                                                                                                    RT_STRING0x189d500x422dataEnglishUnited States0.2741020793950851
                                                                                                    RT_STRING0x18a1740x5c2dataEnglishUnited States0.37720488466757124
                                                                                                    RT_STRING0x18a7380x40dataEnglishUnited States0.671875
                                                                                                    RT_STRING0x18a7780xcaadataEnglishUnited States0.2313386798272671
                                                                                                    RT_STRING0x18b4240x284dataEnglishUnited States0.4363354037267081
                                                                                                    RT_GROUP_ICON0x18b6a80x14data1.1
                                                                                                    RT_GROUP_ICON0x18b6bc0x14data1.25
                                                                                                    RT_GROUP_ICON0x18b6d00x14data1.25
                                                                                                    RT_VERSION0x18b6e40x430data0.4375
                                                                                                    RT_MANIFEST0x18bb140x626XML 1.0 document, ASCII text, with CRLF line terminators0.44472681067344344
                                                                                                    RT_MANIFEST0x18c13c0x280XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.553125
                                                                                                    DLLImport
                                                                                                    COMCTL32.dll
                                                                                                    KERNEL32.dllGetSystemTimeAsFileTime, GetPrivateProfileStringW, MoveFileW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LoadLibraryExW, GetVersion, GetLocalTime, GetFileAttributesW, GetCurrentDirectoryW, FileTimeToLocalFileTime, GetFileTime, GetSystemDefaultUILanguage, FlushFileBuffers, SetEndOfFile, VirtualQuery, IsBadReadPtr, GetDiskFreeSpaceExW, GetDriveTypeW, GetCurrentThread, InterlockedExchange, LoadLibraryExA, GetPrivateProfileSectionW, GetShortPathNameW, GetModuleHandleW, GetProcAddress, GetSystemDirectoryA, LoadLibraryA, GetLastError, SetLastError, SetFileAttributesW, GetFileSize, CloseHandle, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrlenA, MultiByteToWideChar, WideCharToMultiByte, ReadFile, SetFilePointer, WriteFile, HeapAlloc, FindNextFileW, FindFirstFileW, FindClose, CreateDirectoryW, CompareFileTime, VerLanguageNameW, GetUserDefaultLangID, GetSystemDefaultLangID, lstrcmpiW, lstrcmpW, IsValidLocale, GetLocaleInfoW, lstrcpyA, ExitThread, GetExitCodeProcess, GetCommandLineW, LoadLibraryW, FreeLibrary, CompareStringA, CompareStringW, FreeResource, GetPrivateProfileSectionNamesA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcatA, lstrcmpiA, lstrcpynA, LocalAlloc, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, FindResourceExW, GetEnvironmentVariableW, SetFileTime, OpenProcess, GetProcessTimes, ReadConsoleW, WriteConsoleW, SetStdHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, lstrcatW, GetVersionExW, InterlockedDecrement, InterlockedIncrement, CreateEventW, QueryPerformanceFrequency, GetTempFileNameW, CopyFileW, GetTickCount, GetExitCodeThread, CreateThread, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, SizeofResource, LockResource, LoadResource, lstrcpyW, GetWindowsDirectoryW, SetErrorMode, GetTempPathW, CreateFileW, ExpandEnvironmentStringsW, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, CreateProcessW, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, Sleep, WaitForSingleObject, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpynW, GetModuleFileNameW, GetProcessHeap, HeapFree, FatalAppExitA, WritePrivateProfileSectionW, EnumSystemLocalesW, GetUserDefaultLCID, GetTimeFormatW, GetDateFormatW, SetConsoleCtrlHandler, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapReAlloc, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStringTypeW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetCurrentThreadId, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStdHandle, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, LCMapStringW, DecodePointer, EncodePointer
                                                                                                    USER32.dllMapWindowPoints, GetMessageW, TranslateMessage, DispatchMessageW, PostMessageW, DefWindowProcW, PostQuitMessage, RegisterClassW, CreateWindowExW, SetTimer, KillTimer, LoadCursorW, LoadIconW, wsprintfW, PeekMessageW, MsgWaitForMultipleObjects, GetDesktopWindow, ShowWindow, DialogBoxIndirectParamW, EndDialog, GetDlgItem, SetWindowTextW, CharPrevW, wvsprintfW, LoadImageW, CreateDialogParamW, MoveWindow, GetParent, GetWindowTextW, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, SetForegroundWindow, SetActiveWindow, SetDlgItemTextW, FindWindowW, SubtractRect, IntersectRect, SetRect, FillRect, SetWindowPos, GetSysColor, GetDC, GetSystemMetrics, GetDlgCtrlID, CreateDialogIndirectParamW, ExitWindowsEx, CharUpperW, wsprintfA, CallWindowProcW, DrawIcon, DrawTextW, UpdateWindow, InvalidateRect, SetPropW, GetPropW, RemovePropW, GetSysColorBrush, DrawFocusRect, CopyRect, InflateRect, EnumChildWindows, GetClassNameW, MapDialogRect, RegisterClassExW, MonitorFromPoint, CharNextW, IsDialogMessageW, FindWindowExW, ScreenToClient, MessageBoxW, GetWindowRect, EnableWindow, SendDlgItemMessageW, DestroyWindow, IsWindow, SendMessageW, WaitForInputIdle, SetWindowLongW, GetWindowLongW, GetClientRect, EndPaint, BeginPaint, ReleaseDC, GetWindowDC
                                                                                                    GDI32.dllCreateHalftonePalette, GetDIBColorTable, SelectPalette, RealizePalette, GetSystemPaletteEntries, CreatePalette, CreateFontW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush, GetObjectW, TranslateCharsetInfo, CreateFontIndirectW, SetStretchBltMode, StretchBlt, SelectObject, DeleteDC, CreateDIBitmap, CreateCompatibleDC, BitBlt, DeleteObject, GetStockObject, CreateCompatibleBitmap, CreateDCW, CreatePatternBrush, GetTextExtentPoint32W, RestoreDC, SaveDC, DeleteMetaFile, CreateBitmap, CreateRectRgn, PatBlt, PlayMetaFile, SelectClipRgn, SetBkColor, SetMapMode, SetMetaFileBitsEx, SetPixel, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, UnrealizeObject
                                                                                                    ADVAPI32.dllRegQueryValueExW, RegOpenKeyExW, CryptVerifySignatureW, CryptSignHashW, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptImportKey, CryptExportKey, CryptGetHashParam, CryptSetHashParam, CryptDestroyKey, CryptDeriveKey, CryptReleaseContext, CryptAcquireContextW, RegOpenKeyW, RegEnumKeyW, RegCreateKeyW, RegOverridePredefKey, LookupPrivilegeValueW, AdjustTokenPrivileges, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegEnumValueW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
                                                                                                    SHELL32.dllCommandLineToArgvW, ShellExecuteW, SHBrowseForFolderW, SHGetFolderPathW, SHGetPathFromIDListW, ShellExecuteExW, SHGetMalloc, SHGetSpecialFolderLocation
                                                                                                    ole32.dllCoUninitialize, CoInitializeSecurity, CoInitialize, CoTaskMemRealloc, ProgIDFromCLSID, CreateStreamOnHGlobal, CoTaskMemAlloc, CLSIDFromProgID, GetRunningObjectTable, CreateItemMoniker, CoCreateGuid, StringFromGUID2, CoCreateInstance, CoTaskMemFree
                                                                                                    OLEAUT32.dllSysReAllocStringLen, VarUI4FromStr, SystemTimeToVariantTime, VarBstrCmp, CreateErrorInfo, SetErrorInfo, UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib, SysStringLen, SysAllocString, SysStringByteLen, SysAllocStringByteLen, VarBstrCat, VarBstrFromDate, VariantClear, VariantChangeType, SysAllocStringLen, SysFreeString, GetErrorInfo
                                                                                                    RPCRT4.dllUuidToStringW, UuidFromStringW, RpcStringFreeW, UuidCreate
                                                                                                    gdiplus.dllGdipCreateBitmapFromStream, GdipCreateBitmapFromFile, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromResource, GdipCreateFromHDC, GdipDeleteGraphics, GdipSetInterpolationMode, GdipDrawImageRectI, GdipGetImageWidth, GdipGetImageHeight, GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDisposeImage
                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States
                                                                                                    No network behavior found

                                                                                                    Click to jump to process

                                                                                                    Click to jump to process

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Click to jump to process

                                                                                                    Target ID:0
                                                                                                    Start time:04:43:12
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:3'287'832 bytes
                                                                                                    MD5 hash:CDAA0B967941FFFE97B0D508E696B938
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    Target ID:1
                                                                                                    Start time:04:43:12
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}\Sage.Eb.eIDSign.Windows.Installer.exe /q"C:\Users\user\Desktop\Sage.Eb.eIDSign.Windows.Installer.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{C7A8A1A5-6E4B-4B26-BD0A-B5C9FBE8A2D4}" /IS_temp
                                                                                                    Imagebase:0x400000
                                                                                                    File size:3'287'832 bytes
                                                                                                    MD5 hash:CDAA0B967941FFFE97B0D508E696B938
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    Target ID:3
                                                                                                    Start time:04:43:13
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                    Imagebase:0x7ff62c440000
                                                                                                    File size:55'320 bytes
                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:4
                                                                                                    Start time:04:43:13
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                    Imagebase:0x7ff7648e0000
                                                                                                    File size:329'504 bytes
                                                                                                    MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:5
                                                                                                    Start time:04:43:13
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                    Imagebase:0x7ff62c440000
                                                                                                    File size:55'320 bytes
                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:6
                                                                                                    Start time:04:43:13
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                    Imagebase:0x7ff62c440000
                                                                                                    File size:55'320 bytes
                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:7
                                                                                                    Start time:04:43:14
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                    Imagebase:0x7ff62c440000
                                                                                                    File size:55'320 bytes
                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:8
                                                                                                    Start time:04:43:18
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\Sage.Eb.eIDSign.Windows.msi" TRANSFORMS="C:\Users\user\AppData\Local\Downloaded Installations\{B567D723-533A-4254-ABAB-0B467014446B}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="Sage.Eb.eIDSign.Windows.Installer.exe"
                                                                                                    Imagebase:0x6f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:9
                                                                                                    Start time:04:43:18
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                    Imagebase:0x7ff73adb0000
                                                                                                    File size:69'632 bytes
                                                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:10
                                                                                                    Start time:04:43:18
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 634E06A54BB5FC4E5F05F278FBCAD869 C
                                                                                                    Imagebase:0x6f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:12
                                                                                                    Start time:04:43:23
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe"
                                                                                                    Imagebase:0x510000
                                                                                                    File size:178'624 bytes
                                                                                                    MD5 hash:8A78B781926C098346364AF319B07300
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    Target ID:13
                                                                                                    Start time:04:43:25
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\Installer\MSI1AE.tmp
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll"
                                                                                                    Imagebase:0x1f0000
                                                                                                    File size:177'664 bytes
                                                                                                    MD5 hash:4967093B32BDDABA9193360A1EF3F649
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    Target ID:14
                                                                                                    Start time:04:43:25
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:15
                                                                                                    Start time:04:43:25
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\wevtutil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\Installer\MSI1AE.tmp" im "C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.man" /rf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /mf:"C:\Program Files (x86)\Sage\eIDSign\\Sage.Eb.UniSign.Windows.Sage-Eb-UniSignWindows.etwManifest.dll" /fromwow64
                                                                                                    Imagebase:0x7ff68df60000
                                                                                                    File size:278'016 bytes
                                                                                                    MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:17
                                                                                                    Start time:04:43:26
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files (x86)\Sage\eIDSign\Sage.Eb.UniSign.Windows.exe" firefox-addin
                                                                                                    Imagebase:0x730000
                                                                                                    File size:178'624 bytes
                                                                                                    MD5 hash:8A78B781926C098346364AF319B07300
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:18
                                                                                                    Start time:04:43:26
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:19
                                                                                                    Start time:04:43:32
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:explorer.exe
                                                                                                    Imagebase:0xbb0000
                                                                                                    File size:4'514'184 bytes
                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:21
                                                                                                    Start time:04:44:14
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                    Imagebase:0x7ff6f1650000
                                                                                                    File size:468'120 bytes
                                                                                                    MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:22
                                                                                                    Start time:04:44:14
                                                                                                    Start date:21/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    No disassembly