Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe
Analysis ID: 1429025
MD5: 85dba8fcede6c7f667101c4e4b392584
SHA1: 8d13880f72226f88a3e1a6c332ac56f17af26bb9
SHA256: e25ef3370ff45d829134df08ca5db504716361caeda31a1ae55efe3a1be5f9b6
Tags: exe
Infos:

Detection

Score: 69
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 48
Range: 0 - 100

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Deletes keys which are related to windows safe boot (disables safe mode boot)
Enables network access during safeboot for specific services
Installs a global keyboard hook
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Writes a notice file (html or txt) to demand a ransom
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\Remote SupportWinLauncher.exe Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe ReversingLabs: Detection: 15%
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\elev_win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe EXE: icacls.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\Remote SupportWinLauncher.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\session_win.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\pack200.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent64.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper64.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\SimpleService.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\cadasuser.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java-rmi.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jjs.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\shcad.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\elev_win.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe EXE: icacls.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\Remote SupportWinLauncher.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\session_win.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\pack200.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent64.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper64.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\SimpleService.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\cadasuser.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java-rmi.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jjs.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\shcad.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\readme.txt Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll Jump to behavior
Source: Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000001.00000002.1746629781.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000002.00000002.1762948414.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.1768255152.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.1782178479.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.1871527860.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.1930861381.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 0000000A.00000002.1990708269.00000000666D1000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000001.00000002.1746959488.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000002.00000002.1763245698.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.1763852294.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.1768887134.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.1871949632.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.1931438331.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000002.1991124687.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode, 1_2_666644A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666663E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666683E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose, 1_2_666623A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66665EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno, 1_2_66663F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66667F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose, 1_2_66662C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66666DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66667B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_6666885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666668D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno, 1_2_666649E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 15_2_00402DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 4x nop then movzx r9d, byte ptr [rdi] 15_2_00404D10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 4x nop then mov r8, rdi 15_2_004095E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 4x nop then mov r8d, ebx 15_2_00412980
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 4x nop then movzx eax, byte ptr [rcx+rdx] 15_2_0040A7C0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 4x nop then lea rbx, qword ptr [rsp+70h] 15_2_00409780

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.4:49734 -> 139.64.137.101:80
Source: Traffic Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.4:49735 -> 139.64.137.101:80
Enables network access during safeboot for specific services
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Registry value created: NULL Service
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXPOHLUS EXPOHLUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=4186938694 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.alphetacs.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=4186938694 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.alphetacs.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Windows64JRE-version.txt?time=4186938694 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.alphetacs.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.alphetacs.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive
Source: unknown DNS traffic detected: queries for: help.alphetacs.com
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000000.1675586934.0000000000444000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://0.0.254.254
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000000.1675586934.0000000000444000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://0.0.254.254%lu
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.apple.com/root.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.azul.com/zulu/zuludocs/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.azul.com/zulu/zulurelnotes/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: unpack200.exe, 00000001.00000003.1722430246.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722019491.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722558940.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722133126.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722206981.0000000000F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://maven.apa
Source: unpack200.exe, 00000001.00000003.1722430246.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722019491.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722558940.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722133126.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1722206981.0000000000F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://maven.apa.org/POM/4.0.0
Source: unpack200.exe, 0000000A.00000003.1935319033.0000000000D17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://maven.apache.org/POM/4.0
Source: unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://maven.apache.org/xsd/maven-4.0.0.xsd
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0?
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://openjdk.java.net/legal/exception-modules-2007-05-08.html
Source: unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://openjsse.github.io/legacy8ujsse/
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://openjsse.github.io/openjsse/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://relaxngcc.sf.net/).
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://upx.tsx.org
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/).
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apple.com/appleca0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.azul.com
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.azul.com/license/zulu_third_party_licenses.html
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecma-international.org
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freebxml.org/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freebxml.org/).
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freetype.org/license.html
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.txt
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nexus.hu/upx
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oasis-open.org/policies-guidelines/ipr
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/Public/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/Public/.
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/reports/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xfree86.org/)
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://zulu.org/forum
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.oracle.com/en/java/javase/11/docs/api/
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1875254613.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.oracle.com/en/java/javase/13/docs/api/
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.oracle.com/javase/8/docs/api/
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/alexeybakhtin
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/dkozorez
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/giltene
Source: unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/legacy8ujsse/legacy8ujsse/issues
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/openjsse/openjsse/issues
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/papalukas
Source: unpack200.exe, 00000001.00000003.1744176501.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000001.00000003.1744014977.0000000000E51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://maven.apache.org/xsd/maven-4.0.0.xsd
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://openjdk.java.net/legal/gplv2
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opensource.org/licenses/BSD-2-Clause
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1924258092.00000000001E9000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1875254613.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1923250678.00000000001E5000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1987093455.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986999297.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1987498983.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://oss.sonatype.org/
Source: unpack200.exe, 00000007.00000003.1923095182.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1875254613.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000007.00000003.1922766281.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1935839174.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000A.00000003.1986752481.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://oss.sonatype.org/content/repositories/snapshots
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000378B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.000000000379A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/repository0W

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to behavior
Installs a global mouse hook
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to behavior

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File dropped: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\translations\en.txt -> encryption = setting up session securityverifying_encryption_details = the remote machine is verifying this connection and setting up encryption to protect any transferred data.verifying_password = verifying passwordverifying_password_details = the remote machine is verifying your passwordconnection_closed = connection closedconnection_closed_details = the connection to the remote machine has been terminated# initial update screentapplet_updating = updating, please wait...tapplet_installing = updating, please wait...tapplet_launching = launching...# web page infodont_see_below = don't see anything below?click_here = (click here)no_javascript_support = your browser does not support javascript.<p></p>javascript is required to view this page, please enable it in your browser or add this site to the trusted sites in your browser settings.no_java_message_part_one = if you don't see anything in the space below then your browser probably doesn't have the latest java runtime.<p></p>you can fix this by d Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666AA2BC 1_2_666AA2BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666ACBA0 1_2_666ACBA0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6669E668 1_2_6669E668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666CA668 1_2_666CA668
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665B624 1_2_6665B624
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_667036B0 1_2_667036B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667C6A0 1_2_6667C6A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666506B0 1_2_666506B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666756B8 1_2_666756B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666A760 1_2_6666A760
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666CB760 1_2_666CB760
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667A77C 1_2_6667A77C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665D73C 1_2_6665D73C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668C7E8 1_2_6668C7E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666AB7E4 1_2_666AB7E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666B7C4 1_2_6666B7C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B77D0 1_2_666B77D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666727AC 1_2_666727AC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666A7448 1_2_666A7448
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B3444 1_2_666B3444
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666F454 1_2_6666F454
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667A410 1_2_6667A410
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C74DC 1_2_666C74DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666724D0 1_2_666724D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666644A8 1_2_666644A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666784BC 1_2_666784BC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666BF558 1_2_666BF558
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66690244 1_2_66690244
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C323C 1_2_666C323C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C1200 1_2_666C1200
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666CD2F8 1_2_666CD2F8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6669D2C4 1_2_6669D2C4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666BE2B8 1_2_666BE2B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C62B0 1_2_666C62B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666BD2B4 1_2_666BD2B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66670288 1_2_66670288
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66679294 1_2_66679294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6664B298 1_2_6664B298
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666C350 1_2_6666C350
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668E3FC 1_2_6668E3FC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66693050 1_2_66693050
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666CD028 1_2_666CD028
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C0008 1_2_666C0008
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B800C 1_2_666B800C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B3010 1_2_666B3010
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667A0EC 1_2_6667A0EC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6664D0E8 1_2_6664D0E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667B1E0 1_2_6667B1E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666A1F0 1_2_6666A1F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66678194 1_2_66678194
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B5E5C 1_2_666B5E5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66678E10 1_2_66678E10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666BE1C 1_2_6666BE1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66691EE8 1_2_66691EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66699EEC 1_2_66699EEC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66694EC4 1_2_66694EC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667AE9C 1_2_6667AE9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66697F74 1_2_66697F74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66679F44 1_2_66679F44
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666A6F58 1_2_666A6F58
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666BDF5C 1_2_666BDF5C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66663F10 1_2_66663F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668EFE8 1_2_6668EFE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C8FF0 1_2_666C8FF0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66679C74 1_2_66679C74
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B6C0C 1_2_666B6C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66668CF8 1_2_66668CF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B7CC4 1_2_666B7CC4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66698CD4 1_2_66698CD4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668BC80 1_2_6668BC80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66693C9C 1_2_66693C9C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66674D40 1_2_66674D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666CAD2C 1_2_666CAD2C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6669CDE8 1_2_6669CDE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66660DCC 1_2_66660DCC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66690DDC 1_2_66690DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B4DAC 1_2_666B4DAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66677DB0 1_2_66677DB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666C3A18 1_2_666C3A18
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668AA10 1_2_6668AA10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66677AF4 1_2_66677AF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66669AAC 1_2_66669AAC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66675A94 1_2_66675A94
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6669CB3C 1_2_6669CB3C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B4B04 1_2_666B4B04
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66696BF8 1_2_66696BF8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66672BF4 1_2_66672BF4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666BEBD8 1_2_666BEBD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666A5BB0 1_2_666A5BB0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66675B88 1_2_66675B88
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66688830 1_2_66688830
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666728D4 1_2_666728D4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6664D8B4 1_2_6664D8B4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66689888 1_2_66689888
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665C894 1_2_6665C894
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66675958 1_2_66675958
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666A92C 1_2_6666A92C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B6924 1_2_666B6924
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66687938 1_2_66687938
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6668D900 1_2_6668D900
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6669D904 1_2_6669D904
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666649E4 1_2_666649E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666959E0 1_2_666959E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D833BC38 1_2_00007FF6D833BC38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8333004 1_2_00007FF6D8333004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D832164A 1_2_00007FF6D832164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D832CA54 1_2_00007FF6D832CA54
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321299 1_2_00007FF6D8321299
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321122 1_2_00007FF6D8321122
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321032 1_2_00007FF6D8321032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D83214D3 1_2_00007FF6D83214D3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321456 1_2_00007FF6D8321456
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D832164A 1_2_00007FF6D832164A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321DDC 1_2_00007FF6D8321DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8324FE8 1_2_00007FF6D8324FE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8338178 1_2_00007FF6D8338178
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D83221B8 1_2_00007FF6D83221B8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321311 1_2_00007FF6D8321311
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321032 1_2_00007FF6D8321032
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8321294 1_2_00007FF6D8321294
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D832E4E0 1_2_00007FF6D832E4E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D833462C 1_2_00007FF6D833462C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D8333004 1_2_00007FF6D8333004
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00410400 15_2_00410400
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00410CD0 15_2_00410CD0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004081B0 15_2_004081B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040E6D0 15_2_0040E6D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040DED0 15_2_0040DED0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004036B0 15_2_004036B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00405060 15_2_00405060
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004058D0 15_2_004058D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040A0B0 15_2_0040A0B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004030B0 15_2_004030B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00406D40 15_2_00406D40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004011D0 15_2_004011D0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00402DE0 15_2_00402DE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00404E50 15_2_00404E50
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040CAC0 15_2_0040CAC0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040D2A0 15_2_0040D2A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004052A0 15_2_004052A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00409F40 15_2_00409F40
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040CF60 15_2_0040CF60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040DBE0 15_2_0040DBE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004063F0 15_2_004063F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00409780 15_2_00409780
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040FBA0 15_2_0040FBA0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe 313000B647E07FE9C08D538D160B5ADB4849A7E2E19C16E5E0F188B176470229
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: String function: 004025D8 appears 42 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: String function: 00007FF6D83216B3 appears 75 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.1695540330.00000000037B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000000.1675634360.000000000046B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe
Source: classification engine Classification label: mal69.rans.spyw.evad.winEXE@53/257@2/2
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00401EEC GetLastError,FormatMessageA,lstrlenA,lstrlenA,LocalAlloc,LocalFree,LocalFree, 15_2_00401EEC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66663DA4 _errno,_invalid_parameter_noinfo,GetDiskFreeSpaceA,GetLastError,_errno, 1_2_66663DA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe ReversingLabs: Detection: 15%
Source: unpack200.exe String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe String found in binary or memory: (For more information, run %s --help .)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe" "-Xshare:dump"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713584048640-1"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\*.*" /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: unknown Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService53942608
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49749 127.0.0.1 49750 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe" "-Xshare:dump" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713584048640-1" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\*.*" /t /c /grant *S-1-1-0:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService53942608
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49749 127.0.0.1 49750 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: wldp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: propsys.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: edputil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: wintypes.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: appresolver.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: bcp47langs.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: slc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sppc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: pcacli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Section loaded: profapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: apphelp.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: acgenral.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmm.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: samcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: msacm32.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: version.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: userenv.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: dwmapi.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: urlmon.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: mpr.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sspicli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: iertutil.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: srvcli.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: netutils.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: aclayers.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc.dll
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: glu32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Section loaded: glu32.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Static file information: File size 29866288 > 1048576
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\MSVCR100.dll Jump to behavior
Source: Binary string: msvcr100.amd64.pdb source: unpack200.exe, 00000001.00000002.1746629781.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000002.00000002.1762948414.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.1768255152.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.1782178479.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.1871527860.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.1930861381.00000000666D1000.00000002.00000001.01000000.00000009.sdmp, unpack200.exe, 0000000A.00000002.1990708269.00000000666D1000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: c:\jenkins\workspace\zulu8-build-win64\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000001.00000002.1746959488.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000002.00000002.1763245698.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.1763852294.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.1768887134.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.1871949632.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000007.00000002.1931438331.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 0000000A.00000002.1991124687.00007FF6D8342000.00000002.00000001.01000000.00000008.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666596BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_666596BC
PE file contains an invalid checksum
Source: utils_wnative_winpty_intel-64.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x38241
Source: jjs.exe.0.dr Static PE information: real checksum: 0xd1e5 should be: 0xc81f
Source: shcad.exe.0.dr Static PE information: real checksum: 0x13bcf should be: 0x2dd75
Source: jvm.dll.0.dr Static PE information: real checksum: 0x8a0779 should be: 0x8a10db
Source: javaw.exe.0.dr Static PE information: real checksum: 0x3ff01 should be: 0x41637
Source: winpty-agent.exe.0.dr Static PE information: real checksum: 0x3dddd should be: 0x4267d
Source: utils_wnative_dxgi_intel-64.dll.0.dr Static PE information: real checksum: 0x26d83 should be: 0x27976
Source: cadasuser.exe.0.dr Static PE information: real checksum: 0x15750 should be: 0x2c5c2
Source: Remote SupportWinLauncher.exe.0.dr Static PE information: real checksum: 0x6b466 should be: 0xa1f9c
Source: utils_wnative_intel-32.dll.0.dr Static PE information: real checksum: 0x38c46 should be: 0x39518
Source: simplehelper64.exe.0.dr Static PE information: real checksum: 0x14642 should be: 0x15834
Source: SimpleService.exe.0.dr Static PE information: real checksum: 0x1cc64 should be: 0x1e28d
Source: windowslauncher.exe.0.dr Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: jwutils_win32.dll.0.dr Static PE information: real checksum: 0x26fe6 should be: 0x3664f
Source: utils_wnative_shpty_intel-64.dll.0.dr Static PE information: real checksum: 0x18027 should be: 0x2697f
Source: utils_wnative_winpty_intel-32.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x33d45
Source: freetype.dll.0.dr Static PE information: real checksum: 0xaf521 should be: 0xa6754
Source: utils_wnative_intel-64.dll.0.dr Static PE information: real checksum: 0x3b2f0 should be: 0x3c0ae
Source: Remote Support.exe.0.dr Static PE information: real checksum: 0x27e73 should be: 0x36d42
Source: unpack200.exe.0.dr Static PE information: real checksum: 0x3ad77 should be: 0x3b9ae
Source: utils_wnative_dxgi_intel-32.dll.0.dr Static PE information: real checksum: 0x28f63 should be: 0x2a362
Source: winpty-agent64.exe.0.dr Static PE information: real checksum: 0x4c96d should be: 0x4acd5
Source: session_win.exe.0.dr Static PE information: real checksum: 0x18543 should be: 0x35d94
Source: java.exe.0.dr Static PE information: real checksum: 0x33084 should be: 0x3cd32
Source: pack200.exe.0.dr Static PE information: real checksum: 0x5fdd should be: 0x7713
Source: java-rmi.exe.0.dr Static PE information: real checksum: 0xc872 should be: 0x6521
Source: elev_win.exe.0.dr Static PE information: real checksum: 0x19839 should be: 0x3cd17
Source: jwutils_win64.dll.0.dr Static PE information: real checksum: 0x3aa5f should be: 0x44100
Source: simplehelper.exe.0.dr Static PE information: real checksum: 0x16ea2 should be: 0x150fa
Source: utils_wnative_shpty_intel-32.dll.0.dr Static PE information: real checksum: 0x1a02b should be: 0x2375a
PE file contains sections with non-standard names
Source: msvcr100.dll.0.dr Static PE information: section name: _CONST
Source: msvcr100.dll.0.dr Static PE information: section name: text
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6670B37B push rbp; iretd 1_2_6670B38E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66706E1B push rbp; iretd 1_2_66706E2E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66708B1D push rcx; retf 003Fh 1_2_66708B1E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66707885 push 0000003Eh; ret 1_2_66707887
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jli.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\dt_socket.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_winpty_intel-64.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\sunmscapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\npt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent64.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper64.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\jwutils_win32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\net.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\JAWTAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_dxgi_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\JavaAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jdwp.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\j2pcsc.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\WindowsAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\instrument.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\fontmanager.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_shpty_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\verify.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsound.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\jwutils_win64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\splashscreen.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\hprof.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\server\jvm.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jawt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsdt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\Remote SupportWinLauncher.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\session_win.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jpeg.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_shpty_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\SimpleService.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\msvcr100.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_winpty_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\shcad.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\elev_win.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\nio.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\lcms.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\freetype.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jaas_nt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\sunec.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\awt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\mlib_image.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\cadasuser.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\dt_shmem.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsoundds.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_dxgi_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\management.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\zip.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe File created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe File created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\readme.txt Jump to behavior
Creates or modifies windows services
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShTemporaryService53942608\Parameters
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665D73C GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError, 1_2_6665D73C
Uses cacls to modify the permissions of files
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Name, Model, InterfaceType, MediaType, Size, SerialNumber from Win32_DiskDrive
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665BAC4 rdtsc 1_2_6665BAC4
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jli.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\dt_socket.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_winpty_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\sunmscapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\npt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper64.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent64.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\net.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\jwutils_win32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\JAWTAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_dxgi_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\JavaAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jdwp.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\j2pcsc.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\WindowsAccessBridge-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\instrument.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\fontmanager.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_shpty_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\verify.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsound.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\jwutils_win64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\splashscreen.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\hprof.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\simplehelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\server\jvm.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jawt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\Remote SupportWinLauncher.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsdt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jpeg.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_shpty_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_winpty_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\shcad.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\nio.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_intel-64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\lcms.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\freetype.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\winpty-agent.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jaas_nt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\sunec.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\awt.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\java.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\cadasuser.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\mlib_image.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\dt_shmem.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\jsoundds.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\utils_wnative_dxgi_intel-32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\management.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\zip.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe API coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe TID: 5340 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Version,Name,Manufacturer from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber,Version,Vendor,Name from Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode, 1_2_666644A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666663E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666683E8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose, 1_2_666623A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66665EE8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno, 1_2_66663F10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66667F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose, 1_2_66662C0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66666DDC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_66667B1C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_6666885C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 1_2_666668D8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno, 1_2_666649E4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00402DE0 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 15_2_00402DE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666A9780 VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect, 1_2_666A9780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\lib\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe File opened: C:\Users\user\ Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe, 00000000.00000003.2265858314.0000000004486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Copyright (C) 2009 VMware, Inc. All Rights Reserved.
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process information queried: ProcessInformation
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6665BAC4 rdtsc 1_2_6665BAC4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B06B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_666B06B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666596BC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_666596BC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666AECC8 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError, 1_2_666AECC8
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B06B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_666B06B0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666B02A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_666B02A4
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D833EA60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 1_2_00007FF6D833EA60
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D833F064 SetUnhandledExceptionFilter, 1_2_00007FF6D833F064
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_00007FF6D83503F0 SetUnhandledExceptionFilter, 1_2_00007FF6D83503F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00406880 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00406880
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_0040F500 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0040F500
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_00406230 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00406230
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: 15_2_004062D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_004062D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\crs-agent.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\charsets.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\jsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\jaccess.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunpkcs11.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\openjsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\legacy8ujsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\cldrdata.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\access-bridge-64.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\ext\sunmscapi.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\lib\rt.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe" "-Xshare:dump" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583921-5-app\customer-jar-with-dependencies.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713584048640-1" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp" /t /c /grant *S-1-1-0:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH" /t /c /grant *S-1-5-32-545:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\SimpleHelp\ElevateSH\*.*" /t /c /grant *S-1-1-0:(OI)(CI)F Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe -install C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe "C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe" "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\elev_win.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" "-install" "C:\ProgramData\SimpleHelp\ElevateSH\MMoveLauncher5018212369185496700.service"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\windowslauncher.exe" "-cp" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" "-Xmx128m" "-Xms5m" "-Dsun.java2d.dpiaware=true" "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" "com.aem.sdesktop.util.MouseMover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe "C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe" -uninstallbyname ShTemporaryService53942608
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49749 127.0.0.1 49750 elevated_backup
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\access-bridge-64.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\rt.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583921-5-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583921-5-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713584048640-1"
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49749 127.0.0.1 49750 elevated_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\crs-agent.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\charsets.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\jsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\jaccess.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunpkcs11.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\openjsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\legacy8ujsse.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\cldrdata.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\access-bridge-64.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\access-bridge-64.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\ext\sunmscapi.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\rt.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583982-6-app\lib\rt.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583921-5-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713583921-5-app\customer-jar-with-dependencies.jar" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713584048640-1" Jump to behavior
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\session_win.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\session_win.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\windowslauncher.exe" "-cp" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" "-xmx128m" "-xms5m" "-dsun.java2d.dpiaware=true" "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" "com.aem.sdesktop.util.mousemover" "127.0.0.1" "49745" "127.0.0.1" "49746" "elevated"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows64jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49749 127.0.0.1 49750 elevated_backup
Source: unpack200.exe, 0000000B.00000003.2006517931.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 0000000B.00000003.2012424199.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: manksmanks dilimanksimanobomanobo dilimanobo jezikmanobo kalbamanobo keelmanobo sprogmanobokielimanobospr
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: _getptd,GetLocaleInfoA, 1_2_666BB6E0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: GetLocaleInfoW, 1_2_666BB7CC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free, 1_2_666B95DC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW, 1_2_666B1058
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: EnumSystemLocalesA, 1_2_666BBC6C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: EnumSystemLocalesA, 1_2_666BBD0C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s, 1_2_666BBD80
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW, 1_2_666BBB38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW, 1_2_666BB864
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\windowslauncher.exe Code function: GetLocaleInfoA, 15_2_00412F00
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Queries volume information: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-JWrapper-00102236230-complete\nativesplash.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Queries volume information: C:\ProgramData\SimpleHelp\ElevateSH\lock VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows64JRE-00084000053-complete\bin\Remote Support.exe Queries volume information: C:\ProgramData\SimpleHelp\ElevateSH\lock VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_6667B768 _errno,GetLocalTime,_errno,_invalid_parameter_noinfo, 1_2_6667B768
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_66678E10 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_66678E10
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713583982-6-app\bin\unpack200.exe Code function: 1_2_666A8E68 HeapCreate,GetVersion,HeapSetInformation, 1_2_666A8E68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Deletes keys which are related to windows safe boot (disables safe mode boot)
Source: C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ShTemporaryService53942608
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429025 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 20/04/2024 Architecture: WINDOWS Score: 69 72 help.alphetacs.com 2->72 76 Snort IDS alert for network traffic 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 3 other signatures 2->82 10 SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe 293 2->10         started        15 SimpleService.exe 2->15         started        signatures3 process4 dnsIp5 74 help.alphetacs.com 139.64.137.101, 49734, 49735, 49742 EXPOHLUS Reserved 10->74 62 C:\Users\user\AppData\Roaming\...\zip.dll, PE32+ 10->62 dropped 64 C:\Users\user\AppData\...\windowslauncher.exe, PE32+ 10->64 dropped 66 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32+ 10->66 dropped 68 68 other files (67 malicious) 10->68 dropped 90 Writes a notice file (html or txt) to demand a ransom 10->90 17 Remote Support.exe 32 10->17         started        22 unpack200.exe 1 10->22         started        24 unpack200.exe 1 10->24         started        30 11 other processes 10->30 26 SimpleService.exe 15->26         started        28 session_win.exe 15->28         started        file6 signatures7 process8 dnsIp9 70 127.0.0.1 unknown unknown 17->70 56 C:\ProgramData\...\SimpleService.exe, PE32 17->56 dropped 58 C:\ProgramData\SimpleHelp\...\elev_win.exe, PE32 17->58 dropped 84 Installs a global keyboard hook 17->84 32 elev_win.exe 17->32         started        34 icacls.exe 17->34         started        36 icacls.exe 17->36         started        38 icacls.exe 17->38         started        86 Deletes keys which are related to windows safe boot (disables safe mode boot) 26->86 40 windowslauncher.exe 28->40         started        file10 signatures11 process12 file13 43 elev_win.exe 32->43         started        45 conhost.exe 34->45         started        47 conhost.exe 36->47         started        49 conhost.exe 38->49         started        60 C:\Users\user\...\Session Elevation Helper, PE32+ 40->60 dropped 51 Session Elevation Helper 40->51         started        process14 process15 53 SimpleService.exe 43->53         started        signatures16 88 Enables network access during safeboot for specific services 53->88
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.64.137.101
 help.alphetacs.com Reserved
62809 EXPOHLUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
help.alphetacs.com 139.64.137.101 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://help.alphetacs.com/customer/JWrapper-Remote%20Support-version.txt true
    		unknown
    http://help.alphetacs.com/customer/JWrapper-Windows64JRE-version.txt?time=4186938694 true
      		unknown
      http://help.alphetacs.com/customer/JWrapper-JWrapper-version.txt true
        		unknown
        http://help.alphetacs.com/branding/applet_splash.png?a=3 true
          		unknown
          http://help.alphetacs.com/simplehelpdetails.txt true
            		unknown
            http://help.alphetacs.com/branding/brandingfiles?a=3 true
              		unknown
              http://help.alphetacs.com/simplehelpdisclaimer.txt?language=en true
                		unknown
                http://help.alphetacs.com/translations_user/en.txt true
                  		unknown
                  http://help.alphetacs.com/server_side_parameters true
                    		unknown
                    http://help.alphetacs.com/branding/branding.properties?a=3 true
                      		unknown