Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Analysis ID:	1427767
MD5:	8745c960022bcefff65c91a47374a169
SHA1:	e503dd1b85b17ba61e468890d11f3259e9437b72
SHA256:	8fd4a4dcbe8b649c8c8cec213352c6da213caaefffc76450efee498e51f63cda
Tags:	exe
Infos:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	35
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Deletes itself after installation

Enables network access during safeboot for specific services

Found string related to ransomware

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Registry value created: NULL Service

Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E72440 InternetSetOptionA,InternetSetOptionA,InternetOpenA,InternetSetOptionA,WSAGetLastError,InternetSetOptionA,WSAGetLastError,InternetSetOptionA,WSAGetLastError,InternetConnectA,WSAGetLastError,HttpOpenRequestA,WSAGetLastError,InternetReadFile,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,HttpSendRequestA,WSAGetLastError,HttpQueryInfoA,WSAGetLastError,InternetReadFile,GetDesktopWindow,InternetErrorDlg,WSAGetLastError,InternetReadFile,WSAGetLastError,InternetReadFileExA,WSAGetLastError,_strstr,WSAGetLastError,

0_2_00E72440

Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: support.lockwoodbroadcast.com

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s%shttp://%shttps://%s%shttps://%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbome
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s%shttps://%s%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbomeet.comgosupportnow.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%sPMai
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%ssURL
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://https://https://%shttp://%sPCGUI.CInviteAttendee_::OnInitDialog.JoinMessage2PCGUI.CInviteAtte
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.000000001089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.0000000010859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com
Source: TurboMeeting.exe, 00000006.00000000.1496181175.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1525335027.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1555133297.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.com.T
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.comRHUB
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00http://www.webrtc.org/experi
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://compose.mail.yahoo.com/?To=&Subj=
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=https://compose.mail.yahoo.com/?To=&Subj=(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1477353524.00000000044D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.0000000000522000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476684834.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&m
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.google.com/calendar/render?action=TEMPLATE&text=

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E218C5 GetKeyState,GetKeyState,GetKeyState,SendMessageW,		0_2_00E218C5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD03AF GetKeyState,GetKeyState,GetKeyState,SendMessageW,		4_2_00CD03AF

Spam, unwanted Advertisements and Ransom Demands

Found string related to ransomware

Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y

System Summary

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Process Stats: CPU usage > 49%

Contains functionality to delete services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Code function: 4_2_00CA5C10 GetActiveWindow,MessageBoxW,Sleep,OpenSCManagerW,OpenServiceW,ControlService,Sleep,DeleteService,Sleep,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,WSAGetLastError,CloseServiceHandle,CloseServiceHandle,WSAGetLastError,

4_2_00CA5C10

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4CDF6	0_2_00E4CDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70F20	0_2_00E70F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48099	0_2_00E48099
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48343	0_2_00E48343
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70330	0_2_00E70330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E105F0	0_2_00E105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70620	0_2_00E70620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4860A	0_2_00E4860A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E488C5	0_2_00E488C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E3C8D5	0_2_00E3C8D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A8B6	0_2_00E6A8B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A9DF	0_2_00E6A9DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70AE0	0_2_00E70AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E06C90	0_2_00E06C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E68E8F	0_2_00E68E8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E10FD0	0_2_00E10FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D026	0_2_00E4D026
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D010	0_2_00E6D010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D256	0_2_00E4D256
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D4C0	0_2_00E4D4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E37463	0_2_00E37463
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E71660	0_2_00E71660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D7B0	0_2_00E6D7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E478D0	0_2_00E478D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5182F	0_2_00E5182F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E679B9	0_2_00E679B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5BA03	0_2_00E5BA03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E51B86	0_2_00E51B86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E53B80	0_2_00E53B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6FC10	0_2_00E6FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E47D27	0_2_00E47D27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E1BF40	0_2_00E1BF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E45F4A	0_2_00E45F4A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE71E4	4_2_00CE71E4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CF60D8	4_2_00CF60D8
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2130	4_2_00CE2130
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D02269	4_2_00D02269
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA8350	4_2_00CA8350
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2377	4_2_00CE2377
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE0330	4_2_00CE0330
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC6440	4_2_00CC6440
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D08580	4_2_00D08580
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE26E9	4_2_00CE26E9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA6660	4_2_00CA6660
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB08E5	4_2_00CB08E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0A9E0	4_2_00D0A9E0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2993	4_2_00CE2993
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB2CC0	4_2_00CB2CC0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2C5A	4_2_00CE2C5A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2F15	4_2_00CE2F15
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CAD070	4_2_00CAD070
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B100	4_2_00D0B100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1257	4_2_00CB1257
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB122C	4_2_00CB122C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CED3C0	4_2_00CED3C0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B3F0	4_2_00D0B3F0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB14D0	4_2_00CB14D0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D054F4	4_2_00D054F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEB45F	4_2_00CEB45F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7416	4_2_00CE7416
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7648	4_2_00CE7648
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D05614	4_2_00D05614
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B8B0	4_2_00D0B8B0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE78A5	4_2_00CE78A5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D03BBF	4_2_00D03BBF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D07DE0	4_2_00D07DE0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFFFCC	4_2_00CFFFCC
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC3B4B1	6_2_6EC3B4B1

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDEBDC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6260 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CAF930 appears 325 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDECC0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E07CD0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E01D51 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E441EB appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44180 appears 115 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44880 appears 67 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E0EEE0 appears 246 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308827291.0000000000EB4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus32.rans.winEXE@9/98@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,

0_2_00E14130

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14F80 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,CloseHandle,GetLastError,GetLastError,Process32NextW,CloseHandle,		0_2_00E14F80
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB5020 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,FindCloseChangeNotification,GetLastError,GetLastError,Process32NextW,FindCloseChangeNotification,		4_2_00CB5020

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E14F80 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,CloseHandle,GetLastError,GetLastError,Process32NextW,CloseHandle,

0_2_00E14F80

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E2E860 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,

0_2_00E2E860

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E2B751 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_00E2B751

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File created: C:\Users\user\AppData\Roaming\TurboMeeting

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Mutant created: \Sessions\1\BaseNamedObjects\TMCacheFileMutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Source: TMLauncher.exe

String found in binary or memory: --installprinter

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: TurboMeeting.lnk.6.dr	LNK file: ..\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Start Meeting.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Uninstall.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TMRemover.exe

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File opened: C:\Users\user\Desktop\starter.cfg

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: real checksum: 0xca6f3 should be: 0xcb5fb

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: section name: _RDATA
Source: dbghelp.dll.0.dr	Static PE information: section name: .didat
Source: InstallService.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.0.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.0.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.0.dr	Static PE information: section name: _RDATA
Source: TMService.exe.0.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.0.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.0.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.0.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.4.dr	Static PE information: section name: _RDATA
Source: dbghelp.dll.4.dr	Static PE information: section name: .didat
Source: InstallService.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.4.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMService.exe.4.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.4.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.4.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe0.4.dr	Static PE information: section name: _RDATA
Source: TM1713420902.dll.6.dr	Static PE information: section name: .HookSha
Source: TM1713420903.dll.8.dr	Static PE information: section name: .HookSha
Source: TM1713420905.dll.11.dr	Static PE information: section name: .HookSha

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44149 push ecx; ret	0_2_00E4415C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E448C6 push ecx; ret	0_2_00E448D9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0FE pushad ; ret	4_2_00CBC0FF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE0AB pushad ; ret	4_2_00CBE0AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0A6 pushad ; ret	4_2_00CBC0A7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC04E pushad ; ret	4_2_00CBC04F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE041 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE054
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE15B pushad ; ret	4_2_00CBE15C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC156 pushad ; ret	4_2_00CBC157
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE103 pushad ; ret	4_2_00CBE104
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC2D6 pushad ; ret	4_2_00CBC2D7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE2BB pushad ; ret	4_2_00CBE2BC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE263 pushad ; ret	4_2_00CBE264
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE20B pushad ; ret	4_2_00CBE20C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC216 pushad ; ret	4_2_00CBC217
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC3EB pushad ; ret	4_2_00CBC3EC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE3B3 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE3C4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE310 pushad ; ret	4_2_00CBE31A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC32E pushad ; ret	4_2_00CBC32F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC4F3 pushad ; ret	4_2_00CBC4F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC49B pushad ; ret	4_2_00CBC49C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC443 pushad ; ret	4_2_00CBC444
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE463 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE474
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE414 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE41C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5FB pushad ; ret	4_2_00CBC5FC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5A3 pushad ; ret	4_2_00CBC5A4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC54B pushad ; ret	4_2_00CBC54C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC6AB pushad ; ret	4_2_00CBC6AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC653 pushad ; ret	4_2_00CBC654
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7FB push dword ptr [ebx+60858D01h]; ret	4_2_00CBC80C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7B3 pushad ; ret	4_2_00CBC7B4

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Window found: window name: Progman			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Window found: window name: Progman			Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Start Meeting.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Uninstall.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File deleted: c:\users\user\desktop\securiteinfo.com.trojan.siggen21.62491.4036.26173.exe

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E22DF3 IsIconic,		0_2_00E22DF3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD1882 IsIconic,		4_2_00CD1882

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E45F4A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E45F4A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00E59389

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776866345.0000000002263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA*k(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476403815.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476524588.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`mS%SystemRoot%\system32\mswsock.dllC
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: TurboMeeting.exe, 00000008.00000003.1522178362.0000000000688000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1521892122.000000000067D000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 0000000B.00000002.1555648025.0000000002267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E18060 GetModuleFileNameW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CreateFileW,OutputDebugStringW,SetFilePointer,CloseHandle,lstrcpyW,CreateFileW,CloseHandle,IsDebuggerPresent,

0_2_00E18060

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E1D692 OutputDebugStringA,GetLastError,

0_2_00E1D692

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

0_2_00E59389

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD22 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4FDB8 mov eax, dword ptr fs:[00000030h]	0_2_00E4FDB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD67 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD67
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEE5E5 mov eax, dword ptr fs:[00000030h]	4_2_00CEE5E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFAF97 mov eax, dword ptr fs:[00000030h]	4_2_00CFAF97
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC33C4D mov eax, dword ptr fs:[00000030h]	6_2_6EC33C4D
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34DFD mov eax, dword ptr fs:[00000030h]	6_2_6EC34DFD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E633F8 GetProcessHeap,

0_2_00E633F8

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E0E5A0 SetUnhandledExceptionFilter,SetThreadPriority,WSAGetLastError,SetEvent,SetEvent,SetEvent,	0_2_00E0E5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E01596 SetUnhandledExceptionFilter,#17,_wprintf,GetClassInfoW,WSAStartup,GetModuleFileNameW,_strlen,_strlen,GetModuleFileNameW,PathStripPathW,_strstr,_strstr,_strlen,LoadImageW,SendMessageW,PostMessageW,	0_2_00E01596
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4A64E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E4A64E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44B9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E44B9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44D32 SetUnhandledExceptionFilter,	0_2_00E44D32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E43F3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E43F3A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA1C30 SetUnhandledExceptionFilter,#17,_strstr,_strstr,	4_2_00CA1C30
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDE3BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00CDE3BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE4A2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CE4A2E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDEFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CDEFB3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDF146 SetUnhandledExceptionFilter,	4_2_00CDF146
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34E2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC34E2E
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC32093 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6EC32093
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC31D02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC31D02

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E082A0 GetTempPathW,Sleep,CopyFileW,ShellExecuteExW,GetLastError,GetFileAttributesW,

0_2_00E082A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E13D20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetLastError,GlobalAlloc,GetTokenInformation,GetLastError,AllocateAndInitializeSid,GetLastError,EqualSid,FreeSid,GlobalFree,

0_2_00E13D20

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GShell_TrayWndkernel32.dllDbIU@0{@P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllsClientName = %s, sDesktopDirectory = %s, sStartMenuDirectory = %s, sCurrentDirectory = %sc:\rhub2\code\pcutility\pcutility.cppPCUtility:RemoveLink()%s\%s.lnkRemove sLink: %sStart Session%s.lnkStart MeetingRemove start menu directory: %sSoftware\Microsoft\Windows\CurrentVersion\Uninstallfailed to remove registry, sKey = %s, error %d, %sPCUtility::RemoveLink()DeleteRegistryKey(%s)c:\ProgramData\Microsoft\Windows\Start Menu\Programs\%swSoftware\ClassesURL:%s StarterURL ProtocolsKey = %s, sURL = %s, sStarterFile = %s, sClientName = %sPCUtility:RegisterStarter()%s\shell\open\command"%s" %%1sCommandKey = %sSoftware\Microsoft\Internet Explorer\ProtocolExecute0WarnOnOpenRHUBMXmeetingvector<T> too longlist<T> too longMore than log instance, reported from MyLog::Initialize()Server.\RunServerLog%s%s.txt%s%s.bak%s%s.bak.bak%sServerMemoryLog.txt%sServerMemoryLog.bakrsp1024h%s.bak%s.bak.bak%sClientMemoryLog.txt%sClientMemoryLog.bakwfailed to create log file %s in MyLog::GetWorkingDirectory(), %dException happens in MyLog::Initialize()%d-%02d-%02d %02d:%02d:%02dafailed to create log file %s in MyLog::GetWorkingDirectory()%d
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllDb
Source: TMLauncher.exe	Binary or memory string: Progman
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: ?sBuffer is NULL = %s, iWidth = %d, iHeight = %dc:\rhub2\gui5\virtualgui\pcimage.cppPCImage::ImageBufferToPNGimage.GetLastError() = %sProgmanMS-SDIaMS-SDIbWindows.UI.Core.CoreWindow>>>>> New call c:\rhub2\gui5\virtualgui\pcapplicationsharingmonitor.cppPCApplicationSharingMonitor::GetApplicationList!!! ERROR: GetMonitorByHandle() failed for m_vWindowHandle = %dPCApplicationSharingMonitor::ChangeSharingApplicationc:\rhub2\gui5\virtualgui\guivideo.cppenter: m_iCurrentWebCamStatus = %d, iControlCode = %dGUIVideo::StopWebCamStopWebCam, iControlCode == PRESENTER_ALL_STOP \|\| iControlCode == VIEWER_ALL_STOPGetWebCamNamesStopWebCamGUIVideo::WebCamStatusCallbackGUIVideo::WebCamStatusCallback.WebcamFailedToStartGUIVideo::WebCamStatusCallback.WebcamRefusedToStart1GUIVideo::WebCamStatusCallback.WebcamRefusedToStart2GUIVideo::WebCamStatusCallback.WebcamRefusedToStart3GUIVideo::WebCamStatusCallback.WebcamRefusedToStart4m_bWebcamStartedByUser = %sGUIVideo::SetWebcamStartedByUserm_bWebcamPreviewStartedByUser = %s
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: invalid headerno new downloadhProcessSnap == INVALID_HANDLE_VALUE: %d, %s!Process32First(): %d, %ssProcessName = %sUtility::TerminateProcessByNameImpersonateSelf(SecurityImpersonation) failed: %d, %sOpenThreadToken() failed: %d, %sSeDebugPrivilegeCRITICAL ISSUE: there is a dead loop. One TurboMeeting.exe cannot be removed!.exesCommandLine = %s, sWorkingDirectory = %sUtility::StartProcessUTF8ToUTF16 is OKsucceeded.iErrorCode = %d, Error = %ssCommandLine = %sopenShellExecute(): iHinstance = %d, iErrorCode = %d, Error = %s, sExecutable = %s, sParameter = %s%s\*...Utility::RemoveAllFileEnd of RemoveAllFile: path = %s, %s, error code: %d, error: %s-sCurrentFilePath = %sSYSTEMbSystemUser = true, sUserApplicationDirectory = %s\..\..\..user application directory does not existbSystemUser = false, sUserApplicationDirectory = %sfrom CSIDL_COMMON_DOCUMENTS, sUserApplicationDirectory = %ssStartMenuDirectory = %ssCurrentDirectory = %ssCurrentFile = %ssUserApplicationDirectory = %ssTempDirectory = %ssDesktopDirectory = %sbUserAppDirAccessable = truebUserAppDirAccessable = falsebSystemUser = truebSystemUser = falseProgmanSHELLDLL_DefViewSysListView32sClientName: %s,
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: </__OUTLOOK_INTEGRATION__><__OUTLOOK_INTEGRATION__>outlook plugin was installed.c:\rhub2\pcgui5\pcgui\mainfrm.cppMainFrame::OnUpdateSoftwarePREVIOUS_ENTRY_POINT_JOINimage\ApplicationIcon.icoTurboMeetingMainWindowClassenter.MainFrame::OnClose()Error = %dToolbarWindow32TrayNotifyWndPCGUI.CSelectMeetingType::HostMeeting.SystemTrayIconTurboMeetingShell_TrayWnd</__ExitDueToNoConnection__><__ExitDueToNoConnection__></__Message__><__Message__></__PollingResponse__><__PollingResponse__>Received Polling response Error while parsing the string UserId = %d, %sMainWindow::OnRespondPolling()</__PollingId__><__PollingId__>Received Polling response Error while parsing the string No Poll Id UserId = %d, %sReceived Polling response from user But We do not have polling Id %dReceived Polling response UserId = %d, %s</__Choice0__><__Choice0__></__Choice1__><__Choice1__></__Choice2__><__Choice2__></__Choice3__><__Choice3__></__Choice4__><__Choice4__></__PollingQuestion__><__PollingQuestion__>Error while parsing the Polling Question %sMainWindow::OnShowRequestPolling()Error while parsing the Polling id %s</__IsSingleResponse__><__IsSingleResponse__></__Question__><__Question__></__PollingResult__><__PollingResult__>Error while parsing the Polling results From User %d : %sMainWindow::OnShowPublishPolling()Error while parsing the Polling Id. No PollingId is present: From User %d : %s</__TotalResponse__><__TotalResponse__></__ResponseChoice0__><__ResponseChoice0__></__ResponseChoice1__><__ResponseChoice1__></__ResponseChoice2__><__ResponseChoice2__></__ResponseChoice3__><__ResponseChoice3__></__ResponseChoice4__><__ResponseChoice4__>PCGUI.MainWindow::MainWindow.ExitPCGUI.IDR_TRAY_MENU.ID_OPENPCGUI.IDD_ACTIVEGIALOG.IDC_STATIC_ACTIVE_LIST_HEADINGPCGUI.CScreenShare::UpdateAttendeeList.HostPCGUI.PLoginDialog::OnInitDialog.JoinPCGUI.MainWindow::MainWindow.AboutPCGUI.BUTTON.REMOVEOpenATTENDEE_CONTROL_DIALOG User Type: %d, iChangedUserType = %dMainFrame::UpdateGUIOnUserTypeHOST_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.HOST_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.HOST_BECOME_PRESENTERATTENDEE_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_PRESENTERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_HOSTMainFrame::UpdateGUIOnUserType.HOST_BECOME_ATTENDEEPCGUI.PhysicalGUI::ProcessMessage.WantControllerPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestControllerPCGUI.PhysicalGUI::ProcessMessage.WantPresenterPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestPresenteriCameraDisplayFormat = %d, iUserType = %d m_bVideoDetached = %d, m_bNoWebcamAvailable = %dMainFrame::OnUpdateWindowPositionTurboMeeting.exeCMD_BYPASS_PRESENCE: sCommand = %sMainFrame::ExecuteCommand()Failed CMD_BYPASS_PRESENCE. sCommand = %sPCGUI.IDD_ASSIGN_PRESENTER_DIALOG.WindowTextPCApplicationSharingMonitor::GetApplicationList.StayWithHDPCGUI.PControlPanelWnd::CreateButtonControls.BecomePresenterPCGUI.PSliderDialo

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E44DDF cpuid

0_2_00E44DDF

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	0_2_00E2F81B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66264
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E6638D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66567
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E5D13C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E5D78F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00E65C29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65F87
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	4_2_00CD5FAF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00D0051B
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D007BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D008A3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D00808
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D0092E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00B81
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00D00CA7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00DAD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D00E7C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00CF7731
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00CF7C53

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E12320 GetSystemTime,

0_2_00E12320

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E13110 GetModuleFileNameW,GetLongPathNameW,GetUserNameW,SHGetFolderPathW,_strstr,_strstr,SHGetFolderPathW,SHGetFolderPathW,GetTempPathW,GetLongPathNameW,SHGetSpecialFolderPathW,SHGetFolderPathW,GetLongPathNameW,GetLongPathNameW,SHGetFolderPathW,GetLongPathNameW,

0_2_00E13110

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E62425 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E62425

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E172E0 GetVersionExW,GetVersionExW,GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,

0_2_00E172E0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Code function: 4_2_00CA1840 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

4_2_00CA1840

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.18.62.6	support.lockwoodbroadcast.com	United States		32662	GMCRUS	false

Contacted Domains

Name	IP	Active
support.lockwoodbroadcast.com	8.18.62.6	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883	false		high
https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Registry value created: NULL Service

Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E72440

Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: support.lockwoodbroadcast.com

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s%shttp://%shttps://%s%shttps://%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbome
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s%shttps://%s%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbomeet.comgosupportnow.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%sPMai
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%ssURL
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://https://https://%shttp://%sPCGUI.CInviteAttendee_::OnInitDialog.JoinMessage2PCGUI.CInviteAtte
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.000000001089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.0000000010859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com
Source: TurboMeeting.exe, 00000006.00000000.1496181175.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1525335027.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1555133297.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.com.T
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.comRHUB
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00http://www.webrtc.org/experi
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://compose.mail.yahoo.com/?To=&Subj=
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=https://compose.mail.yahoo.com/?To=&Subj=(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1477353524.00000000044D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.0000000000522000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476684834.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&m
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.google.com/calendar/render?action=TEMPLATE&text=

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E218C5 GetKeyState,GetKeyState,GetKeyState,SendMessageW,		0_2_00E218C5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD03AF GetKeyState,GetKeyState,GetKeyState,SendMessageW,		4_2_00CD03AF

Spam, unwanted Advertisements and Ransom Demands

Found string related to ransomware

Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y

System Summary

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Process Stats: CPU usage > 49%

Contains functionality to delete services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

4_2_00CA5C10

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4CDF6	0_2_00E4CDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70F20	0_2_00E70F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48099	0_2_00E48099
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48343	0_2_00E48343
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70330	0_2_00E70330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E105F0	0_2_00E105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70620	0_2_00E70620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4860A	0_2_00E4860A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E488C5	0_2_00E488C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E3C8D5	0_2_00E3C8D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A8B6	0_2_00E6A8B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A9DF	0_2_00E6A9DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70AE0	0_2_00E70AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E06C90	0_2_00E06C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E68E8F	0_2_00E68E8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E10FD0	0_2_00E10FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D026	0_2_00E4D026
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D010	0_2_00E6D010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D256	0_2_00E4D256
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D4C0	0_2_00E4D4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E37463	0_2_00E37463
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E71660	0_2_00E71660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D7B0	0_2_00E6D7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E478D0	0_2_00E478D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5182F	0_2_00E5182F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E679B9	0_2_00E679B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5BA03	0_2_00E5BA03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E51B86	0_2_00E51B86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E53B80	0_2_00E53B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6FC10	0_2_00E6FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E47D27	0_2_00E47D27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E1BF40	0_2_00E1BF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E45F4A	0_2_00E45F4A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE71E4	4_2_00CE71E4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CF60D8	4_2_00CF60D8
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2130	4_2_00CE2130
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D02269	4_2_00D02269
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA8350	4_2_00CA8350
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2377	4_2_00CE2377
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE0330	4_2_00CE0330
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC6440	4_2_00CC6440
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D08580	4_2_00D08580
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE26E9	4_2_00CE26E9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA6660	4_2_00CA6660
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB08E5	4_2_00CB08E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0A9E0	4_2_00D0A9E0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2993	4_2_00CE2993
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB2CC0	4_2_00CB2CC0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2C5A	4_2_00CE2C5A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2F15	4_2_00CE2F15
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CAD070	4_2_00CAD070
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B100	4_2_00D0B100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1257	4_2_00CB1257
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB122C	4_2_00CB122C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CED3C0	4_2_00CED3C0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B3F0	4_2_00D0B3F0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB14D0	4_2_00CB14D0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D054F4	4_2_00D054F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEB45F	4_2_00CEB45F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7416	4_2_00CE7416
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7648	4_2_00CE7648
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D05614	4_2_00D05614
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B8B0	4_2_00D0B8B0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE78A5	4_2_00CE78A5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D03BBF	4_2_00D03BBF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D07DE0	4_2_00D07DE0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFFFCC	4_2_00CFFFCC
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC3B4B1	6_2_6EC3B4B1

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDEBDC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6260 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CAF930 appears 325 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDECC0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E07CD0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E01D51 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E441EB appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44180 appears 115 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44880 appears 67 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E0EEE0 appears 246 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308827291.0000000000EB4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus32.rans.winEXE@9/98@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,

0_2_00E14130

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14F80 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,CloseHandle,GetLastError,GetLastError,Process32NextW,CloseHandle,		0_2_00E14F80
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB5020 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,FindCloseChangeNotification,GetLastError,GetLastError,Process32NextW,FindCloseChangeNotification,		4_2_00CB5020

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E14F80

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E2E860 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,

0_2_00E2E860

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E2B751

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File created: C:\Users\user\AppData\Roaming\TurboMeeting

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Mutant created: \Sessions\1\BaseNamedObjects\TMCacheFileMutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Source: TMLauncher.exe

String found in binary or memory: --installprinter

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: TurboMeeting.lnk.6.dr	LNK file: ..\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Start Meeting.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Uninstall.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TMRemover.exe

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File opened: C:\Users\user\Desktop\starter.cfg

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: real checksum: 0xca6f3 should be: 0xcb5fb

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: section name: _RDATA
Source: dbghelp.dll.0.dr	Static PE information: section name: .didat
Source: InstallService.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.0.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.0.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.0.dr	Static PE information: section name: _RDATA
Source: TMService.exe.0.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.0.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.0.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.0.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.4.dr	Static PE information: section name: _RDATA
Source: dbghelp.dll.4.dr	Static PE information: section name: .didat
Source: InstallService.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.4.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMService.exe.4.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.4.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.4.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe0.4.dr	Static PE information: section name: _RDATA
Source: TM1713420902.dll.6.dr	Static PE information: section name: .HookSha
Source: TM1713420903.dll.8.dr	Static PE information: section name: .HookSha
Source: TM1713420905.dll.11.dr	Static PE information: section name: .HookSha

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44149 push ecx; ret	0_2_00E4415C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E448C6 push ecx; ret	0_2_00E448D9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0FE pushad ; ret	4_2_00CBC0FF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE0AB pushad ; ret	4_2_00CBE0AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0A6 pushad ; ret	4_2_00CBC0A7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC04E pushad ; ret	4_2_00CBC04F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE041 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE054
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE15B pushad ; ret	4_2_00CBE15C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC156 pushad ; ret	4_2_00CBC157
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE103 pushad ; ret	4_2_00CBE104
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC2D6 pushad ; ret	4_2_00CBC2D7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE2BB pushad ; ret	4_2_00CBE2BC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE263 pushad ; ret	4_2_00CBE264
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE20B pushad ; ret	4_2_00CBE20C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC216 pushad ; ret	4_2_00CBC217
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC3EB pushad ; ret	4_2_00CBC3EC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE3B3 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE3C4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE310 pushad ; ret	4_2_00CBE31A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC32E pushad ; ret	4_2_00CBC32F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC4F3 pushad ; ret	4_2_00CBC4F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC49B pushad ; ret	4_2_00CBC49C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC443 pushad ; ret	4_2_00CBC444
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE463 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE474
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE414 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE41C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5FB pushad ; ret	4_2_00CBC5FC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5A3 pushad ; ret	4_2_00CBC5A4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC54B pushad ; ret	4_2_00CBC54C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC6AB pushad ; ret	4_2_00CBC6AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC653 pushad ; ret	4_2_00CBC654
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7FB push dword ptr [ebx+60858D01h]; ret	4_2_00CBC80C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7B3 pushad ; ret	4_2_00CBC7B4

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Window found: window name: Progman			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Window found: window name: Progman			Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Start Meeting.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Uninstall.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File deleted: c:\users\user\desktop\securiteinfo.com.trojan.siggen21.62491.4036.26173.exe

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E22DF3 IsIconic,		0_2_00E22DF3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD1882 IsIconic,		4_2_00CD1882

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E45F4A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00E59389

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776866345.0000000002263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA*k(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476403815.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476524588.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`mS%SystemRoot%\system32\mswsock.dllC
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: TurboMeeting.exe, 00000008.00000003.1522178362.0000000000688000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1521892122.000000000067D000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 0000000B.00000002.1555648025.0000000002267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E18060 GetModuleFileNameW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CreateFileW,OutputDebugStringW,SetFilePointer,CloseHandle,lstrcpyW,CreateFileW,CloseHandle,IsDebuggerPresent,

0_2_00E18060

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E1D692 OutputDebugStringA,GetLastError,

0_2_00E1D692

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

0_2_00E59389

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD22 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4FDB8 mov eax, dword ptr fs:[00000030h]	0_2_00E4FDB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD67 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD67
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEE5E5 mov eax, dword ptr fs:[00000030h]	4_2_00CEE5E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFAF97 mov eax, dword ptr fs:[00000030h]	4_2_00CFAF97
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC33C4D mov eax, dword ptr fs:[00000030h]	6_2_6EC33C4D
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34DFD mov eax, dword ptr fs:[00000030h]	6_2_6EC34DFD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E633F8 GetProcessHeap,

0_2_00E633F8

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E0E5A0 SetUnhandledExceptionFilter,SetThreadPriority,WSAGetLastError,SetEvent,SetEvent,SetEvent,	0_2_00E0E5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E01596 SetUnhandledExceptionFilter,#17,_wprintf,GetClassInfoW,WSAStartup,GetModuleFileNameW,_strlen,_strlen,GetModuleFileNameW,PathStripPathW,_strstr,_strstr,_strlen,LoadImageW,SendMessageW,PostMessageW,	0_2_00E01596
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4A64E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E4A64E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44B9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E44B9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44D32 SetUnhandledExceptionFilter,	0_2_00E44D32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E43F3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E43F3A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA1C30 SetUnhandledExceptionFilter,#17,_strstr,_strstr,	4_2_00CA1C30
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDE3BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00CDE3BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE4A2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CE4A2E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDEFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CDEFB3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDF146 SetUnhandledExceptionFilter,	4_2_00CDF146
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34E2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC34E2E
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC32093 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6EC32093
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC31D02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC31D02

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E082A0 GetTempPathW,Sleep,CopyFileW,ShellExecuteExW,GetLastError,GetFileAttributesW,

0_2_00E082A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E13D20

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GShell_TrayWndkernel32.dllDbIU@0{@P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllsClientName = %s, sDesktopDirectory = %s, sStartMenuDirectory = %s, sCurrentDirectory = %sc:\rhub2\code\pcutility\pcutility.cppPCUtility:RemoveLink()%s\%s.lnkRemove sLink: %sStart Session%s.lnkStart MeetingRemove start menu directory: %sSoftware\Microsoft\Windows\CurrentVersion\Uninstallfailed to remove registry, sKey = %s, error %d, %sPCUtility::RemoveLink()DeleteRegistryKey(%s)c:\ProgramData\Microsoft\Windows\Start Menu\Programs\%swSoftware\ClassesURL:%s StarterURL ProtocolsKey = %s, sURL = %s, sStarterFile = %s, sClientName = %sPCUtility:RegisterStarter()%s\shell\open\command"%s" %%1sCommandKey = %sSoftware\Microsoft\Internet Explorer\ProtocolExecute0WarnOnOpenRHUBMXmeetingvector<T> too longlist<T> too longMore than log instance, reported from MyLog::Initialize()Server.\RunServerLog%s%s.txt%s%s.bak%s%s.bak.bak%sServerMemoryLog.txt%sServerMemoryLog.bakrsp1024h%s.bak%s.bak.bak%sClientMemoryLog.txt%sClientMemoryLog.bakwfailed to create log file %s in MyLog::GetWorkingDirectory(), %dException happens in MyLog::Initialize()%d-%02d-%02d %02d:%02d:%02dafailed to create log file %s in MyLog::GetWorkingDirectory()%d
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllDb
Source: TMLauncher.exe	Binary or memory string: Progman
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: ?sBuffer is NULL = %s, iWidth = %d, iHeight = %dc:\rhub2\gui5\virtualgui\pcimage.cppPCImage::ImageBufferToPNGimage.GetLastError() = %sProgmanMS-SDIaMS-SDIbWindows.UI.Core.CoreWindow>>>>> New call c:\rhub2\gui5\virtualgui\pcapplicationsharingmonitor.cppPCApplicationSharingMonitor::GetApplicationList!!! ERROR: GetMonitorByHandle() failed for m_vWindowHandle = %dPCApplicationSharingMonitor::ChangeSharingApplicationc:\rhub2\gui5\virtualgui\guivideo.cppenter: m_iCurrentWebCamStatus = %d, iControlCode = %dGUIVideo::StopWebCamStopWebCam, iControlCode == PRESENTER_ALL_STOP \|\| iControlCode == VIEWER_ALL_STOPGetWebCamNamesStopWebCamGUIVideo::WebCamStatusCallbackGUIVideo::WebCamStatusCallback.WebcamFailedToStartGUIVideo::WebCamStatusCallback.WebcamRefusedToStart1GUIVideo::WebCamStatusCallback.WebcamRefusedToStart2GUIVideo::WebCamStatusCallback.WebcamRefusedToStart3GUIVideo::WebCamStatusCallback.WebcamRefusedToStart4m_bWebcamStartedByUser = %sGUIVideo::SetWebcamStartedByUserm_bWebcamPreviewStartedByUser = %s
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: invalid headerno new downloadhProcessSnap == INVALID_HANDLE_VALUE: %d, %s!Process32First(): %d, %ssProcessName = %sUtility::TerminateProcessByNameImpersonateSelf(SecurityImpersonation) failed: %d, %sOpenThreadToken() failed: %d, %sSeDebugPrivilegeCRITICAL ISSUE: there is a dead loop. One TurboMeeting.exe cannot be removed!.exesCommandLine = %s, sWorkingDirectory = %sUtility::StartProcessUTF8ToUTF16 is OKsucceeded.iErrorCode = %d, Error = %ssCommandLine = %sopenShellExecute(): iHinstance = %d, iErrorCode = %d, Error = %s, sExecutable = %s, sParameter = %s%s\*...Utility::RemoveAllFileEnd of RemoveAllFile: path = %s, %s, error code: %d, error: %s-sCurrentFilePath = %sSYSTEMbSystemUser = true, sUserApplicationDirectory = %s\..\..\..user application directory does not existbSystemUser = false, sUserApplicationDirectory = %sfrom CSIDL_COMMON_DOCUMENTS, sUserApplicationDirectory = %ssStartMenuDirectory = %ssCurrentDirectory = %ssCurrentFile = %ssUserApplicationDirectory = %ssTempDirectory = %ssDesktopDirectory = %sbUserAppDirAccessable = truebUserAppDirAccessable = falsebSystemUser = truebSystemUser = falseProgmanSHELLDLL_DefViewSysListView32sClientName: %s,
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: </__OUTLOOK_INTEGRATION__><__OUTLOOK_INTEGRATION__>outlook plugin was installed.c:\rhub2\pcgui5\pcgui\mainfrm.cppMainFrame::OnUpdateSoftwarePREVIOUS_ENTRY_POINT_JOINimage\ApplicationIcon.icoTurboMeetingMainWindowClassenter.MainFrame::OnClose()Error = %dToolbarWindow32TrayNotifyWndPCGUI.CSelectMeetingType::HostMeeting.SystemTrayIconTurboMeetingShell_TrayWnd</__ExitDueToNoConnection__><__ExitDueToNoConnection__></__Message__><__Message__></__PollingResponse__><__PollingResponse__>Received Polling response Error while parsing the string UserId = %d, %sMainWindow::OnRespondPolling()</__PollingId__><__PollingId__>Received Polling response Error while parsing the string No Poll Id UserId = %d, %sReceived Polling response from user But We do not have polling Id %dReceived Polling response UserId = %d, %s</__Choice0__><__Choice0__></__Choice1__><__Choice1__></__Choice2__><__Choice2__></__Choice3__><__Choice3__></__Choice4__><__Choice4__></__PollingQuestion__><__PollingQuestion__>Error while parsing the Polling Question %sMainWindow::OnShowRequestPolling()Error while parsing the Polling id %s</__IsSingleResponse__><__IsSingleResponse__></__Question__><__Question__></__PollingResult__><__PollingResult__>Error while parsing the Polling results From User %d : %sMainWindow::OnShowPublishPolling()Error while parsing the Polling Id. No PollingId is present: From User %d : %s</__TotalResponse__><__TotalResponse__></__ResponseChoice0__><__ResponseChoice0__></__ResponseChoice1__><__ResponseChoice1__></__ResponseChoice2__><__ResponseChoice2__></__ResponseChoice3__><__ResponseChoice3__></__ResponseChoice4__><__ResponseChoice4__>PCGUI.MainWindow::MainWindow.ExitPCGUI.IDR_TRAY_MENU.ID_OPENPCGUI.IDD_ACTIVEGIALOG.IDC_STATIC_ACTIVE_LIST_HEADINGPCGUI.CScreenShare::UpdateAttendeeList.HostPCGUI.PLoginDialog::OnInitDialog.JoinPCGUI.MainWindow::MainWindow.AboutPCGUI.BUTTON.REMOVEOpenATTENDEE_CONTROL_DIALOG User Type: %d, iChangedUserType = %dMainFrame::UpdateGUIOnUserTypeHOST_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.HOST_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.HOST_BECOME_PRESENTERATTENDEE_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_PRESENTERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_HOSTMainFrame::UpdateGUIOnUserType.HOST_BECOME_ATTENDEEPCGUI.PhysicalGUI::ProcessMessage.WantControllerPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestControllerPCGUI.PhysicalGUI::ProcessMessage.WantPresenterPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestPresenteriCameraDisplayFormat = %d, iUserType = %d m_bVideoDetached = %d, m_bNoWebcamAvailable = %dMainFrame::OnUpdateWindowPositionTurboMeeting.exeCMD_BYPASS_PRESENCE: sCommand = %sMainFrame::ExecuteCommand()Failed CMD_BYPASS_PRESENCE. sCommand = %sPCGUI.IDD_ASSIGN_PRESENTER_DIALOG.WindowTextPCApplicationSharingMonitor::GetApplicationList.StayWithHDPCGUI.PControlPanelWnd::CreateButtonControls.BecomePresenterPCGUI.PSliderDialo

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E44DDF cpuid

0_2_00E44DDF

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	0_2_00E2F81B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66264
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E6638D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66567
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E5D13C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E5D78F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00E65C29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65F87
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	4_2_00CD5FAF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00D0051B
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D007BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D008A3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D00808
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D0092E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00B81
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00D00CA7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00DAD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D00E7C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00CF7731
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00CF7C53

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E12320 GetSystemTime,

0_2_00E12320

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

0_2_00E13110

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E62425 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E62425

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E172E0 GetVersionExW,GetVersionExW,GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,

0_2_00E172E0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Code function: 4_2_00CA1840 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

4_2_00CA1840

ID:	1427767
Product:	CloudBasic
Start time:	06:24:11
Start date:	18.04.2024
Sample:	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8745c960022bcefff65c91a47374a169
SHA1:	e503dd1b85b17ba61e468890d11f3259e9437b72
SHA256:	8fd4a4dcbe8b649c8c8cec213352c6da213caaefffc76450efee498e51f63cda
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\MagDetector.txt	ASCII text, with very long lines (320), with CRLF, CR line terminators	DE0E9877AD98BB909A1BEA6B793E8085	65CB35A68E64B365D93849F1A4EA49DC74B1DBC4	4DD69D08E3E95E9A2B492CA57695537BA31B563E61E2F2718967A6F9D15E88EE
C:\Users\user\AppData\Local\Temp\PCClient.zip	data	9BA492917815BBBFED9D8E6A0F77481B	FD7827C336E58352F93B541F747F1681E5A761DF	3245EEC094B82600E78767AA0AE848596F77CFDF1B544590396B3CDDD370AD22
C:\Users\user\AppData\Local\Temp\SVEDetector.txt	ASCII text, with very long lines (320), with CRLF, CR line terminators	16523C11ED63772458D93F26A7B5E431	76C6966E61F749144F5EAA35EE0C31708EDFD4ED	2FC44F3A9248FAEE527D3C5440CFAE5FB053D2A79A25664F5CC6E14CDD59034C
C:\Users\user\AppData\Local\Temp\TMInstaller.txt	ASCII text, with CRLF, CR line terminators	5C6296E5BE4F76BCFE6EA1996AA9E7A0	4D6ADBE26783828A97616B3B0C78B5A0647228A1	29C251040483EB6AC6EA593B416A24A1FF0C53788ABE3DCD8F6CCE948CABCCB1
C:\Users\user\AppData\Local\Temp\TMSetup.txt	ASCII text, with CRLF line terminators	14F345AD20B4141780311E2C6A2B463A	825F9A9ED40A0F3AB3881CE1341828D8F5D7CB5C	191D90DBAD3E31A8527CD59801DA0CAC5BF2EE59548FD1AAFD3BBB337925AFA8
C:\Users\user\AppData\Local\Temp\rsp1024h.txt	ASCII text, with very long lines (459), with CRLF line terminators	DB805C29A0454736F6717658BBC8F2EE	1A193DEBDD5C88E873D9C6BF4F0A19F413FBF42B	8A8B02474BD0A33922C424A3DE7A05F3F3339C78155056D17D1A6233828E2FBB
C:\Users\user\AppData\Local\Temp\tm_starter_dir\ClientDatabase	data	180D45BE65098DA1E2D0F72795581C5D	B4B90F594BF1B1A0603D28A6342CC2052BB010C8	C8A22EE90C0E0DB5877FD047EA957452D827A077C5A823C2FF6A0A3E6D421A52
C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	PE32 executable (console) Intel 80386, for MS Windows	CA2C90A15E0B8701A71B28E875865F35	319C1961F05D1D6C31984D141B91B870DC0B1EFA	7AEECEDC2D37BD3AD549851121CCFED9B9D62285DB474735998C8EA741DCA867
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C28568A1EB37159185590BCCF20F9866	DFE01651DA872470E686C2BE78400C80C98FA450	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8CE1DC1E87F955F2529CA7A796AD8820	9A51C28787D5AD0363DC33FCBCEDD3995F855482	27773D79B0AE6A473909434BF72642C2098B649F4033139BC06C274ADA88E3BE
C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	PE32 executable (console) Intel 80386, for MS Windows	E0861D6F2836555E2C1E5F223234A9F1	C2F9C1B8EB85722B5EF83E080C78D5E378CB5210	84F0B260E146D07F0BE5A0C61CABCAEFE5288850A707F073B5EBC8FAAEC408C5
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	PE32 executable (console) Intel 80386, for MS Windows	BA7323CFA2E6B7A11E61E5C8621141CF	BB49041C3257CE0A159C3AA49D0FCFF093A24921	0C4F996D1AA194951D756DE74514F7A1D03F68270E33F3C7E7B5DCF262885166
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	PE32 executable (console) Intel 80386, for MS Windows	F7A57D58DE9E992509F28477D85EA442	48747FE9CA9D804110462FBEBCC13F4519230443	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD12C30E38FD57D25CD75B07E679330B	00C725161356A75121A393F8615641DA10EDA4C6	0C168E4E9AEA222BBCB4EEC3E61FA72B528F7276492FA4BACAE029241B3808EB
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	PE32 executable (console) Intel 80386, for MS Windows	26AC20E2F474AC15E0785770931001C3	2BB6CC026B7766D2BACF71E257836771DD8EA462	2A8A64EBBFBFFDA40DB3EB7F6DD9EFAB0143818637914B6246FBA81D938FA897
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFC9A458625B2095D18A17FF37EEDE74	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D973EE70262ADF0A3D8AC412964517F9	5EFF4B9800B66D63213162E7BB009928F86DDBFD	BD69CC4974617A01D2759AAB58CDDE4AF9199B8102E325178C2AE043E6783E28
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CC17AE159E28D331B7EC39A4F34527F2	68BACD3808895DB9987F11B63C857E288E022C17	4BBAE6B52A99355E7C695D901151513235E5B0BF01FF8D5345580D6529763B78
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHI.tmd	Unicode text, UTF-8 text, with CRLF line terminators	E19C646DDC1E5B7AF92280538A863E04	4C87C7FB61DBC211C80A44928E6D121E55BDC929	4E51C94EED094DC6A0D895366750C80B71F5270A3FC96DD9B8047A85C87D40A7
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHIT.tmd	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B34E838E74870B3094DA1DB18FEC92EA	4414DC5F71FACCED09700C12769E61674574ACC7	3C34B2B116B9017826EB48CF6A6F44EC134FC36F07AD9171B233AC2DC0BFDF34
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_DTH.tmd	Unicode text, UTF-8 text, with very long lines (548), with CRLF line terminators	FFC94815BCC52593E591F1DB945DA142	09FD651AD0316F616374809EE23548ACAAB8E0E6	85A9060D5370A433A147483EA8CD5129D6B77D3FC6C85861BE43E51C83FBB082
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_ENG.tmd	Unicode text, UTF-8 text, with very long lines (549), with CRLF line terminators	822E31DFDFCB95A50B6D28DF87608CD6	9C811ADE35B8F0B7C4B6F69861755539499F10F4	4A1F173B90493324698E29F089D829D0F6FAAAA728405EBFF602D86D72B77BA6
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_FRE.tmd	Unicode text, UTF-8 text, with very long lines (640), with CRLF line terminators	9F9EFFC7E14CFEF695D97BA63D261341	15B649B698ACD53963E3442348EBC729A04B857C	6F773A3B38D8CE1F077A53655F221559BF36F0A2E5611723167028DE759FB45A
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_GER.tmd	Unicode text, UTF-8 text, with very long lines (554), with CRLF line terminators	9AD8EDBE48A03EA9F026A63D1950F59C	D4CFB9555DDA08DC2582B18C54CED31282F7602E	326816125FA54D4A09723807EF47884241B3513E8A52F42CAD66AC177E040A6D
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_ITA.tmd	Unicode text, UTF-8 text, with very long lines (545), with CRLF line terminators	555BA58246B88D60247B6C9D6FA9106F	B040E9A84618FBD0340755C500F92CE9E692A0A8	FC60DF878A62C597BF669F24178E1AEB73D619F15385CAC798A654120141012C
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_JPN.tmd	Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators	F8FA38EBCA233B3B805311979EC31646	850778B2F3949D28C858534720E4CD1E154786F9	E45D81061CF6ED74405D4EBF3BC530489F6A780B84DF510894F8B0A8D4D8A89E
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_PRT.tmd	Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators	6A3E7509311BE81CC2FFCAD1B697F3BD	E24348698A2F8E316D017A47903683B08B7EC9CB	5A92A07D17108EA6D852108731A2F7CB92F610AD485505D7F8F02BAFF5F5184F
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_SPA.tmd	Unicode text, UTF-8 text, with very long lines (616), with CRLF, CR line terminators	59F4A43B89E599128DA95F68C6C93C5E	5DE54065488D0417EC2C655F156FC6EDC173ECB4	B27C22AC64E6D231AE4C17CB93E0A889D376F24EA44864AC15349C7F70C94910
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_TUR.tmd	Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators	01E157ED08E05ED80052AD8DF404B530	FD6229C6410350C30D5B7907DB42C521FC3EDB62	295A963CCE972904ACF33153C7CAF731027A36B5B8F5249EAAFC5B5D03012D67
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\ApplicationIcon.ico	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel	883746CDA8ECF40EF07D2F26A687E550	88D8D8D7676AE4890C06ACED19212122BE59F44E	4435E5C62BE3B529D5E2100B5F1F57EDCC2BE82281601313BC8594E52C445D66
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\CTMeeting.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	F366C80B222E8E83D5EC6D90959C2C45	CBEFD8DC9C8E342C6165D0F9C1FCFB177D2E01BE	8CD38C8E1A62198BEA0BCC85C0B339A835E460ED08A8D8C98BE524B528F07531
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\DummyWebcam.png	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced	2CFEED234A8558FAFA50655ACB115FD8	2FFB1A9FE6536723E96AE500554D3ABEED2147FC	615861E3BE02B7EBCF9378BBFEEFE969B503A11C738DFBD9A6514029205646F9
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\IMDefault.png	PNG image data, 56 x 56, 8-bit/color RGBA, non-interlaced	6E8F635F6528CC0433861A8DFB0C2D30	E85EC2E9154D1B12835E0590ED00C22A49E3A6DB	A8CC2B4C182384537CAD5E091DFF777F6806E77EED0E5800B96C573E4FBC1A00
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\MXmeeting.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	E7D9E81AFA9CB104E0FE70EE9DABCB6B	FA2D7DF277CD730BAD0786F5BA92D3E5D777403B	A04E701256B583F226CE290D979B19D51A6EA4C5A94341E4E35DB1CA94DDC6E8
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\ProfileInfoDialogBackground.bmp	PC bitmap, Windows 3.x format, 1 x 98 x 24, image size 394, resolution 2834 x 2834 px/m, cbSize 448, bits offset 54	A8A6EF427C5C0EDE5C70AF58AA5680DE	127365EAF32CEE2BA7A958E766FDCCAD0E3C50C6	1D3F66E964CD9BFF854A550D5ACBB55B2C2027C05CEB7A9396A691B1C9D8C6C2
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\Separator1.png	PNG image data, 266 x 9, 8-bit/color RGBA, non-interlaced	B7CCD0351EB77445E7323F2BB74788FD	E0525DA70A851E6DC72D57DD9064F16B949C2A26	8BAA0FEAF55D59C0929419101BDAB9EA326348F13DE8B68EDFB710076F0C3F78
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\SeperatorLine.png	PNG image data, 260 x 1, 8-bit/color RGB, non-interlaced	4CE28B32C7836663CE74B29F11D176A7	608EBF86C32394E609ACB091E5FEFCB0AF4B9D39	4199A78439525D778CF91FA5DEFE0C68320B3E51B3EB9C7672939DD4B2F33E50
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\TurboMeetingWatermark.png	PNG image data, 274 x 312, 8-bit/color RGBA, interlaced	C939AF5F23D396F55808E95668C73C18	3E8767C4FCB16767E6E04A34A9B81B74C061E411	B128C15EA8BB492570E441F2BD3F81D1A481C75997AE107A1D9E830C98067FD9
C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\Ymeetee.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	E20ADBD0C131A94E99FDE12E0C60D247	EE5EB66E8945EC49A178D739834D448350C1080D	9473FE1FE2D941DB548F70E716DD8ED841DBAC60C02C71A5CE6BA760872DC69A
C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7BCD58DF45A40F865E8DBBCB5B2EF6D1	6B8C19C6521CE5E4C8C81F5A59552F3714B15E17	F8CDAC83B1512B6BCFABC616F3865BF11C049E59E4A2C8B5D5D4F031332D83D8
C:\Users\user\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt	ASCII text, with CRLF line terminators	64EE134763F8A59FA41575B54B4C9799	3047D89F40E4B5BD14A300BA0C8E11A9DF403EA3	6CA7946C4805C3705E6D588455D21131376E94960EDED7FDBBD5DACEB48A916B
C:\Users\user\AppData\Local\Temp\tm_starter_dir\version.txt	ASCII text, with CRLF line terminators	8797773BBB9B3585F186FC2684A48F6C	460A68B60688E4AC8A169B5A972E5A0120A977BC	18805AD87BD499C00BC4B72EC6B52E9EC1B9087760E1741EA73CD53A92CC839C
C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D9F52809F0A87FA85638E08187040545	7A4BAF2DCBA8193AE9209BFF85AF56B18DF9344A	867B919D932C496BE91FDB3FC0AC489FDFFAE9371463BFC24C844FC7CF63A9E4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Start Meeting.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Apr 18 03:25:36 2024, mtime=Thu Apr 18 05:15:10 2024, atime=Thu Apr 18 03:25:31 2024, length=18097912, window=hide	93C828CFE3022147DF78D7DCBB08F3FC	0C6371F339BA3C080D235B98D753B2A22D51B1D8	75DBB468124AB1612FA26966B40B6E03DD250719BED8F2F5DC54AE575408FAA0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Uninstall.lnk	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	A61F0A659081E43BFB0550779F1E7535	C2ACB1AE16315B5C82510CD6647D9BEB57B896A0	418976BAFE56B0069FE6F77D2B110DACE7F5090DCF2152A441E74C909CFF9C53
C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C28568A1EB37159185590BCCF20F9866	DFE01651DA872470E686C2BE78400C80C98FA450	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	PE32 executable (console) Intel 80386, for MS Windows	F7A57D58DE9E992509F28477D85EA442	48747FE9CA9D804110462FBEBCC13F4519230443	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	ASCII text, with CRLF line terminators	4EA8515F972553020A96A0221CFEBFA9	316B5BA513891CEA7D0A8848DCF30DDB852013C1	8CB592235E3BC0DF74F58F8E95177763BA866A8E1192F2E50D040E8D2E24D314
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\ClientDatabase	data	180D45BE65098DA1E2D0F72795581C5D	B4B90F594BF1B1A0603D28A6342CC2052BB010C8	C8A22EE90C0E0DB5877FD047EA957452D827A077C5A823C2FF6A0A3E6D421A52
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml	ASCII text, with CRLF line terminators	123758BC7261FD214AD5E454A829656D	9C661C902118488DFF2B5E29A5182CE63C8A3A77	3957EDDA90CDFE0FF751F563CBD3C864F3541A9D67E505108478904216577ABE
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFC9A458625B2095D18A17FF37EEDE74	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFC9A458625B2095D18A17FF37EEDE74	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFC9A458625B2095D18A17FF37EEDE74	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	PE32 executable (console) Intel 80386, for MS Windows	CA2C90A15E0B8701A71B28E875865F35	319C1961F05D1D6C31984D141B91B870DC0B1EFA	7AEECEDC2D37BD3AD549851121CCFED9B9D62285DB474735998C8EA741DCA867
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C28568A1EB37159185590BCCF20F9866	DFE01651DA872470E686C2BE78400C80C98FA450	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8CE1DC1E87F955F2529CA7A796AD8820	9A51C28787D5AD0363DC33FCBCEDD3995F855482	27773D79B0AE6A473909434BF72642C2098B649F4033139BC06C274ADA88E3BE
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	PE32 executable (console) Intel 80386, for MS Windows	E0861D6F2836555E2C1E5F223234A9F1	C2F9C1B8EB85722B5EF83E080C78D5E378CB5210	84F0B260E146D07F0BE5A0C61CABCAEFE5288850A707F073B5EBC8FAAEC408C5
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	PE32 executable (console) Intel 80386, for MS Windows	BA7323CFA2E6B7A11E61E5C8621141CF	BB49041C3257CE0A159C3AA49D0FCFF093A24921	0C4F996D1AA194951D756DE74514F7A1D03F68270E33F3C7E7B5DCF262885166
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8FCA72C59D3A9AA6EDA33C64DAA0296D	5229D88A9E650430719DC5317F8F7601117EF637	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	PE32 executable (console) Intel 80386, for MS Windows	F7A57D58DE9E992509F28477D85EA442	48747FE9CA9D804110462FBEBCC13F4519230443	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD12C30E38FD57D25CD75B07E679330B	00C725161356A75121A393F8615641DA10EDA4C6	0C168E4E9AEA222BBCB4EEC3E61FA72B528F7276492FA4BACAE029241B3808EB
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	PE32 executable (console) Intel 80386, for MS Windows	26AC20E2F474AC15E0785770931001C3	2BB6CC026B7766D2BACF71E257836771DD8EA462	2A8A64EBBFBFFDA40DB3EB7F6DD9EFAB0143818637914B6246FBA81D938FA897
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFC9A458625B2095D18A17FF37EEDE74	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D973EE70262ADF0A3D8AC412964517F9	5EFF4B9800B66D63213162E7BB009928F86DDBFD	BD69CC4974617A01D2759AAB58CDDE4AF9199B8102E325178C2AE043E6783E28
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\accessory_status.txt	ASCII text, with CRLF line terminators	6A8CE1982E0DD43B41C7F1D67382AE9D	9347BF3EB2A583C1FCAB57E2D4094F36E9BBB225	2CB2CE581DC4EC484E2F4A16C91B68E7C3D403999A33FC4B67B03D9D903CB0DD
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CC17AE159E28D331B7EC39A4F34527F2	68BACD3808895DB9987F11B63C857E288E022C17	4BBAE6B52A99355E7C695D901151513235E5B0BF01FF8D5345580D6529763B78
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_CHI.tmd	Unicode text, UTF-8 text, with CRLF line terminators	E19C646DDC1E5B7AF92280538A863E04	4C87C7FB61DBC211C80A44928E6D121E55BDC929	4E51C94EED094DC6A0D895366750C80B71F5270A3FC96DD9B8047A85C87D40A7
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_CHIT.tmd	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B34E838E74870B3094DA1DB18FEC92EA	4414DC5F71FACCED09700C12769E61674574ACC7	3C34B2B116B9017826EB48CF6A6F44EC134FC36F07AD9171B233AC2DC0BFDF34
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_DTH.tmd	Unicode text, UTF-8 text, with very long lines (548), with CRLF line terminators	FFC94815BCC52593E591F1DB945DA142	09FD651AD0316F616374809EE23548ACAAB8E0E6	85A9060D5370A433A147483EA8CD5129D6B77D3FC6C85861BE43E51C83FBB082
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_ENG.tmd	Unicode text, UTF-8 text, with very long lines (549), with CRLF line terminators	822E31DFDFCB95A50B6D28DF87608CD6	9C811ADE35B8F0B7C4B6F69861755539499F10F4	4A1F173B90493324698E29F089D829D0F6FAAAA728405EBFF602D86D72B77BA6
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_FRE.tmd	Unicode text, UTF-8 text, with very long lines (640), with CRLF line terminators	9F9EFFC7E14CFEF695D97BA63D261341	15B649B698ACD53963E3442348EBC729A04B857C	6F773A3B38D8CE1F077A53655F221559BF36F0A2E5611723167028DE759FB45A
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_GER.tmd	Unicode text, UTF-8 text, with very long lines (554), with CRLF line terminators	9AD8EDBE48A03EA9F026A63D1950F59C	D4CFB9555DDA08DC2582B18C54CED31282F7602E	326816125FA54D4A09723807EF47884241B3513E8A52F42CAD66AC177E040A6D
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_ITA.tmd	Unicode text, UTF-8 text, with very long lines (545), with CRLF line terminators	555BA58246B88D60247B6C9D6FA9106F	B040E9A84618FBD0340755C500F92CE9E692A0A8	FC60DF878A62C597BF669F24178E1AEB73D619F15385CAC798A654120141012C
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_JPN.tmd	Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators	F8FA38EBCA233B3B805311979EC31646	850778B2F3949D28C858534720E4CD1E154786F9	E45D81061CF6ED74405D4EBF3BC530489F6A780B84DF510894F8B0A8D4D8A89E
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_PRT.tmd	Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators	6A3E7509311BE81CC2FFCAD1B697F3BD	E24348698A2F8E316D017A47903683B08B7EC9CB	5A92A07D17108EA6D852108731A2F7CB92F610AD485505D7F8F02BAFF5F5184F
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_SPA.tmd	Unicode text, UTF-8 text, with very long lines (616), with CRLF, CR line terminators	59F4A43B89E599128DA95F68C6C93C5E	5DE54065488D0417EC2C655F156FC6EDC173ECB4	B27C22AC64E6D231AE4C17CB93E0A889D376F24EA44864AC15349C7F70C94910
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_TUR.tmd	Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators	01E157ED08E05ED80052AD8DF404B530	FD6229C6410350C30D5B7907DB42C521FC3EDB62	295A963CCE972904ACF33153C7CAF731027A36B5B8F5249EAAFC5B5D03012D67
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\ApplicationIcon.ico	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel	883746CDA8ECF40EF07D2F26A687E550	88D8D8D7676AE4890C06ACED19212122BE59F44E	4435E5C62BE3B529D5E2100B5F1F57EDCC2BE82281601313BC8594E52C445D66
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\CTMeeting.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	F366C80B222E8E83D5EC6D90959C2C45	CBEFD8DC9C8E342C6165D0F9C1FCFB177D2E01BE	8CD38C8E1A62198BEA0BCC85C0B339A835E460ED08A8D8C98BE524B528F07531
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\DummyWebcam.png	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced	2CFEED234A8558FAFA50655ACB115FD8	2FFB1A9FE6536723E96AE500554D3ABEED2147FC	615861E3BE02B7EBCF9378BBFEEFE969B503A11C738DFBD9A6514029205646F9
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\IMDefault.png	PNG image data, 56 x 56, 8-bit/color RGBA, non-interlaced	6E8F635F6528CC0433861A8DFB0C2D30	E85EC2E9154D1B12835E0590ED00C22A49E3A6DB	A8CC2B4C182384537CAD5E091DFF777F6806E77EED0E5800B96C573E4FBC1A00
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\MXmeeting.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	E7D9E81AFA9CB104E0FE70EE9DABCB6B	FA2D7DF277CD730BAD0786F5BA92D3E5D777403B	A04E701256B583F226CE290D979B19D51A6EA4C5A94341E4E35DB1CA94DDC6E8
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\ProfileInfoDialogBackground.bmp	PC bitmap, Windows 3.x format, 1 x 98 x 24, image size 394, resolution 2834 x 2834 px/m, cbSize 448, bits offset 54	A8A6EF427C5C0EDE5C70AF58AA5680DE	127365EAF32CEE2BA7A958E766FDCCAD0E3C50C6	1D3F66E964CD9BFF854A550D5ACBB55B2C2027C05CEB7A9396A691B1C9D8C6C2
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\Separator1.png	PNG image data, 266 x 9, 8-bit/color RGBA, non-interlaced	B7CCD0351EB77445E7323F2BB74788FD	E0525DA70A851E6DC72D57DD9064F16B949C2A26	8BAA0FEAF55D59C0929419101BDAB9EA326348F13DE8B68EDFB710076F0C3F78
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\SeperatorLine.png	PNG image data, 260 x 1, 8-bit/color RGB, non-interlaced	4CE28B32C7836663CE74B29F11D176A7	608EBF86C32394E609ACB091E5FEFCB0AF4B9D39	4199A78439525D778CF91FA5DEFE0C68320B3E51B3EB9C7672939DD4B2F33E50
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\TurboMeetingWatermark.png	PNG image data, 274 x 312, 8-bit/color RGBA, interlaced	C939AF5F23D396F55808E95668C73C18	3E8767C4FCB16767E6E04A34A9B81B74C061E411	B128C15EA8BB492570E441F2BD3F81D1A481C75997AE107A1D9E830C98067FD9
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\Ymeetee.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	E20ADBD0C131A94E99FDE12E0C60D247	EE5EB66E8945EC49A178D739834D448350C1080D	9473FE1FE2D941DB548F70E716DD8ED841DBAC60C02C71A5CE6BA760872DC69A
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7BCD58DF45A40F865E8DBBCB5B2EF6D1	6B8C19C6521CE5E4C8C81F5A59552F3714B15E17	F8CDAC83B1512B6BCFABC616F3865BF11C049E59E4A2C8B5D5D4F031332D83D8
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt	ASCII text, with CRLF line terminators	64EE134763F8A59FA41575B54B4C9799	3047D89F40E4B5BD14A300BA0C8E11A9DF403EA3	6CA7946C4805C3705E6D588455D21131376E94960EDED7FDBBD5DACEB48A916B
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	ASCII text, with no line terminators	B906A32DDF38251C7EBEAC7D2D70884E	525C320D456A4B4F000D8BA2E20F400E708EAD7E	615720C8D5AFE51DB35F015B86E68340E73A9E93C6E74A6E5CF23E1081FDA896
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\version.txt	ASCII text, with CRLF line terminators	8797773BBB9B3585F186FC2684A48F6C	460A68B60688E4AC8A169B5A972E5A0120A977BC	18805AD87BD499C00BC4B72EC6B52E9EC1B9087760E1741EA73CD53A92CC839C
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\vistafunc.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D9F52809F0A87FA85638E08187040545	7A4BAF2DCBA8193AE9209BFF85AF56B18DF9344A	867B919D932C496BE91FDB3FC0AC489FDFFAE9371463BFC24C844FC7CF63A9E4
C:\Users\user\Desktop\TurboMeeting.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Apr 18 03:25:36 2024, mtime=Thu Apr 18 05:15:05 2024, atime=Thu Apr 18 03:25:31 2024, length=18097912, window=hide	259B1F2BAD6893F1CD725CA9D8DEB2E3	11483D70A466F08E1CE3B584B21EC9E59994F6E2	CCD2F69A37791DD4353581109F88F26A44F37E107203FA91109F1C41A005A0A1

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe