Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Analysis ID:	1429051
MD5:	f02aaaf0d308cf00b19cd2ee4f389ac5
SHA1:	dd2fa4b5d4b10a33551ba682b5e9d1dddbe127c5
SHA256:	cf78a3bb1b9513d9c31bde6e6e36860570cd7d192f1a862c8545ea2d2df11c38
Tags:	exe
Infos:

Detection

Score:	69
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Installs a global keyboard hook

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Writes a notice file (html or txt) to demand a ransom

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

ReversingLabs: Detection: 31%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\readme.txt

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdbi source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639716947.000000006CB01000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, unpack200.exe, 00000002.00000002.2115828197.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.2130779590.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.2137963953.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.2149805166.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000006.00000002.2170744753.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.2186803365.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnio\nio.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642273328.000000006E0F7000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\Users\gchristelis\Documents\Visual Studio 2008\Projects\cad\Release\cad.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnet\net.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642630346.000000006E38D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libjava\java.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdbp\|l source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdbI source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\jenkins\workspace\zulu8-build-win32\release\hotspot\windows_i486_compiler1\product\jvm.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libverify\verify.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643837886.0000000073A96000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb8n source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004192F3 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	0_2_004192F3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4EFE1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	2_2_6CF4CA9B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50B33
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	2_2_6CF4C775
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50702
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF17C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF17C6D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4FD86
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F8B5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F40B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402963 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	16_2_00402963

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 4x nop then cmp eax, dword ptr [ecx+04h]	0_2_04F47BD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 4x nop then add byte ptr [edi], dh	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 4x nop then push esi	2_2_6CEFF640

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.5:49710 -> 208.75.205.129:80
Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.5:49709 -> 208.75.205.129:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /availableports HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_004057B4 InternetOpenA,_memset,InternetCrackUrlA,_memset,_memset,_strncpy,_strncpy,InternetConnectA,HttpOpenRequestA,InternetOpenUrlA,HttpSendRequestA,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,__time64,WaitForSingleObject,GetDesktopWindow,InternetErrorDlg,HttpSendRequestA,ReleaseMutex,ReleaseMutex,ReleaseMutex,_memset,__time64,InternetReadFile,WaitForSingleObject,ReleaseMutex,__time64,SetEvent,

0_2_004057B4

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /availableports HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown

DNS traffic detected: queries for: help.tkfast.com

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617618805.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000000.2060182249.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007468000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C6F4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617618805.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000000.2060182249.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254%lu
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantrn2
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizenal/im
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverXM=
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.apple.com/root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/sureobject.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zuludocs/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zulurelnotes/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000071B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/2
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.000000000235A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.000000000238B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.000000000709D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000070BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C63E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-JWrapper-version.txt
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007468000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C6F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Remote
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000071B3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C63E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Remote%20Support-version.txt
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=42118479983
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595218461.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998R
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595218461.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998f
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998l
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/jwstat_app_dirC:
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customerjwdyna_wrapper_gu_versions2jwdyna_languageenjwdyna_skip_system_jre1jw
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/%(
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdTDP
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: Remote Support.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: Remote Support.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://localhost/shtarget.txt
Source: unpack200.exe, 00000002.00000003.2110958166.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110634912.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111347581.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110815096.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111201818.0000000001736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa
Source: unpack200.exe, 00000002.00000003.2110958166.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110634912.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111347581.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110815096.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111201818.0000000001736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa.org/POM/4.0.0
Source: unpack200.exe, 00000002.00000003.2114514695.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0?
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openjdk.java.net/legal/exception-modules-2007-05-08.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.tsx.org
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/appleca0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com/license/zulu_third_party_licenses.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C569000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/support/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.azulsystems.com/support/-XX:FlightRecorderOptions-XX:StartFlightRecordingVM
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/support/java.vendor.url.bughttp://www.azulsystems.com/java.vendor.urlAzul
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org/license.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.txt
Source: Remote Support.exe	String found in binary or memory: http://www.kitfox.com/jackal/jackal.jar
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/policies-guidelines/ipr
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitl
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth/internC
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimiter/XM7
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitaE
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/dom-node
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zulu.org/forum
Source: unpack200.exe, 00000002.00000003.2114458117.0000000001691000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2114514695.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maven.apache.org/xsd/maven-4.0.0.xsd
Source: unpack200.exe, 00000011.00000003.2501534408.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pdfbox.apache.org/download.cgi
Source: unpack200.exe, 00000011.00000003.2501534408.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pdfbox.apache.org/download.cgissociated
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior

Installs a global mouse hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File dropped: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\translations\en.txt -> encryption = setting up session securityverifying_encryption_details = the remote machine is verifying this connection and setting up encryption to protect any transferred data.verifying_password = verifying passwordverifying_password_details = the remote machine is verifying your passwordconnection_closed = connection closedconnection_closed_details = the connection to the remote machine has been terminated# initial update screentapplet_updating = updating, please wait...tapplet_installing = updating, please wait...tapplet_launching = launching...# web page infodont_see_below = don't see anything below?click_here = (click here)no_javascript_support = your browser does not support javascript.<p></p>javascript is required to view this page, please enable it in your browser or add this site to the trusted sites in your browser settings.no_java_message_part_one = if you don't see anything in the space below then your browser probably doesn't have the latest java runtime.<p></p>you can fix this by d

Jump to dropped file

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00423630	0_2_00423630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00401EF7	0_2_00401EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042F0D0	0_2_0042F0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041A8FC	0_2_0041A8FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041D885	0_2_0041D885
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041E0B1	0_2_0041E0B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00431150	0_2_00431150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0043115B	0_2_0043115B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00431166	0_2_00431166
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042C933	0_2_0042C933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004369D0	0_2_004369D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004209E1	0_2_004209E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042E232	0_2_0042E232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0040F2F0	0_2_0040F2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004162A5	0_2_004162A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042C3F1	0_2_0042C3F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0043146C	0_2_0043146C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434CC0	0_2_00434CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004204E0	0_2_004204E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041DC91	0_2_0041DC91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041D4B1	0_2_0041D4B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042D539	0_2_0042D539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434DC0	0_2_00434DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042CE75	0_2_0042CE75
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041FEC2	0_2_0041FEC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434F00	0_2_00434F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041CFDE	0_2_0041CFDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004117A0	0_2_004117A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00029809	2_2_00029809
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000220DE	2_2_000220DE
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002126C	2_2_0002126C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002797C	2_2_0002797C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000281D3	2_2_000281D3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00023A11	2_2_00023A11
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002AAD8	2_2_0002AAD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000214A6	2_2_000214A6
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00022493	2_2_00022493
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00021DD5	2_2_00021DD5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002A637	2_2_0002A637
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00023653	2_2_00023653
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002C654	2_2_0002C654
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF06E24	2_2_6CF06E24
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF06E28	2_2_6CF06E28
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF66E18	2_2_6CF66E18
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF20919	2_2_6CF20919
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF80915	2_2_6CF80915
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF3EB1A	2_2_6CF3EB1A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF08468	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF145AE	2_2_6CF145AE
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF967FF	2_2_6CF967FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6E7F1	2_2_6CF6E7F1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CEF21F0	2_2_6CEF21F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0A1DD	2_2_6CF0A1DD
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF64159	2_2_6CF64159
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF622CD	2_2_6CF622CD
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0828B	2_2_6CF0828B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4A277	2_2_6CF4A277
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF88220	2_2_6CF88220
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0839B	2_2_6CF0839B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF81CEF	2_2_6CF81CEF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF09C8E	2_2_6CF09C8E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF03DB1	2_2_6CF03DB1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF07D20	2_2_6CF07D20
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF05E20	2_2_6CF05E20
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6F8BA	2_2_6CF6F8BA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF69877	2_2_6CF69877
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF83968	2_2_6CF83968
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF91AE0	2_2_6CF91AE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF97B2A	2_2_6CF97B2A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF03B1D	2_2_6CF03B1D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6D43B	2_2_6CF6D43B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF035FA	2_2_6CF035FA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF075C1	2_2_6CF075C1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF096C9	2_2_6CF096C9
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF996A7	2_2_6CF996A7
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF05795	2_2_6CF05795
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF8D754	2_2_6CF8D754
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6B723	2_2_6CF6B723
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF631BA	2_2_6CF631BA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6516D	2_2_6CF6516D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF1911E	2_2_6CF1911E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF99295	2_2_6CF99295
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF07210	2_2_6CF07210
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00408105	16_2_00408105
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405590	16_2_00405590
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00404F6B	16_2_00404F6B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_004063E1	16_2_004063E1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe 14F684600450CDBCDBA40A554DA7F96E7756B5733B4854F5B30B9A35D26CBA4B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 0040A137 appears 406 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 0040E710 appears 185 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 00420484 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 00418EEA appears 40 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF00934 appears 74 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF0A455 appears 38 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 000214BA appears 34 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF0B69A appears 61 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF00950 appears 152 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: String function: 00405530 appears 41 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: String function: 00402112 appears 42 times

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal69.rans.spyw.evad.winEXE@34/259@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_004092EF GetLastError,FormatMessageA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,LocalFree,LocalFree,LocalFree,

0_2_004092EF

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF4D3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,

2_2_6CF4D3BB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

ReversingLabs: Detection: 31%

Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: Remote Support.exe	String found in binary or memory: !ULcom/kitfox/svg/Stop;
Source: Remote Support.exe	String found in binary or memory: !ULcom/kitfox/svg/Stop;
Source: Remote Support.exe	String found in binary or memory: acom/kitfox/svg/Stop
Source: Remote Support.exe	String found in binary or memory: acom/kitfox/svg/Stop
Source: Remote Support.exe	String found in binary or memory: '5*?marker-starty

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: glu32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: glu32.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static file information: File size 28436544 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdbi source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639716947.000000006CB01000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, unpack200.exe, 00000002.00000002.2115828197.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.2130779590.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.2137963953.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.2149805166.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000006.00000002.2170744753.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.2186803365.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnio\nio.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642273328.000000006E0F7000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\Users\gchristelis\Documents\Visual Studio 2008\Projects\cad\Release\cad.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnet\net.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642630346.000000006E38D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libjava\java.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdbp\|l source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdbI source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\jenkins\workspace\zulu8-build-win32\release\hotspot\windows_i486_compiler1\product\jvm.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libverify\verify.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643837886.0000000073A96000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb8n source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_00428332 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00428332

PE file contains an invalid checksum

Source: utils_wnative_winpty_intel-64.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x38241
Source: jjs.exe.0.dr	Static PE information: real checksum: 0x1152d should be: 0x10b62
Source: shcad.exe.0.dr	Static PE information: real checksum: 0x13bcf should be: 0x2dd75
Source: jvm.dll.0.dr	Static PE information: real checksum: 0x3cb144 should be: 0x3d6baa
Source: javaw.exe.0.dr	Static PE information: real checksum: 0x2ec38 should be: 0x30369
Source: winpty-agent.exe.0.dr	Static PE information: real checksum: 0x3dddd should be: 0x4267d
Source: utils_wnative_dxgi_intel-64.dll.0.dr	Static PE information: real checksum: 0x26d83 should be: 0x27976
Source: cadasuser.exe.0.dr	Static PE information: real checksum: 0x15750 should be: 0x2c5c2
Source: Remote SupportWinLauncher.exe.0.dr	Static PE information: real checksum: 0x58e43 should be: 0x8e480
Source: utils_wnative_intel-32.dll.0.dr	Static PE information: real checksum: 0x38c46 should be: 0x39518
Source: simplehelper64.exe.0.dr	Static PE information: real checksum: 0x14642 should be: 0x15834
Source: SimpleService.exe.0.dr	Static PE information: real checksum: 0x1cc64 should be: 0x1e28d
Source: windowslauncher.exe.0.dr	Static PE information: real checksum: 0x270ff should be: 0x27a12
Source: jwutils_win32.dll.0.dr	Static PE information: real checksum: 0x26fe6 should be: 0x3664f
Source: utils_wnative_shpty_intel-64.dll.0.dr	Static PE information: real checksum: 0x18027 should be: 0x2697f
Source: utils_wnative_winpty_intel-32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x33d45
Source: utils_wnative_intel-64.dll.0.dr	Static PE information: real checksum: 0x3b2f0 should be: 0x3c0ae
Source: Remote Support.exe.0.dr	Static PE information: real checksum: 0x270ff should be: 0x27a12
Source: unpack200.exe.0.dr	Static PE information: real checksum: 0x2efbf should be: 0x2fbf1
Source: utils_wnative_dxgi_intel-32.dll.0.dr	Static PE information: real checksum: 0x28f63 should be: 0x2a362
Source: winpty-agent64.exe.0.dr	Static PE information: real checksum: 0x4c96d should be: 0x4acd5
Source: session_win.exe.0.dr	Static PE information: real checksum: 0x18543 should be: 0x35d94
Source: java.exe.0.dr	Static PE information: real checksum: 0x36027 should be: 0x2fcd1
Source: pack200.exe.0.dr	Static PE information: real checksum: 0x1101a should be: 0x1274b
Source: java-rmi.exe.0.dr	Static PE information: real checksum: 0x9212 should be: 0x12ebb
Source: elev_win.exe.0.dr	Static PE information: real checksum: 0x19839 should be: 0x3cd17
Source: jwutils_win64.dll.0.dr	Static PE information: real checksum: 0x3aa5f should be: 0x44100
Source: simplehelper.exe.0.dr	Static PE information: real checksum: 0x16ea2 should be: 0x150fa
Source: utils_wnative_shpty_intel-32.dll.0.dr	Static PE information: real checksum: 0x1a02b should be: 0x2375a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4DEA push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4D09 push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4DB9 push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004204C9 push ecx; ret	0_2_004204DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00426521 push 33000001h; retf	0_2_00426526
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00426623 push ebp; ret	0_2_00426624
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04F4E098 push cs; ret	0_2_04F4E0E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04F4524C pushad ; iretd	0_2_04F45271
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAD6F7 push 00000000h; mov dword ptr [esp], esp	0_2_04EAD721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAD6E0 push 00000000h; mov dword ptr [esp], esp	0_2_04EAD721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB6D6 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB747 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB739 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB8F6 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAA00A push ecx; ret	0_2_04EAA01A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAA01B push ecx; ret	0_2_04EAA025
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB1A9 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB1B7 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB967 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB146 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB959 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAC277 push 00000000h; mov dword ptr [esp], esp	0_2_04EAC29D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00039555 push ecx; ret	2_2_00039568
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CEF2D80 push eax; ret	2_2_6CEF2D9E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF00995 push ecx; ret	2_2_6CF009A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF1A6AA push EF3FEFD4h; iretd	2_2_6CF1A6B1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF19CD8 pushad ; iretd	2_2_6CF19CE6
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0BF60 push ecx; ret	2_2_6CF0BF73
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405575 push ecx; ret	16_2_00405588
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25C656C3 push eax; ret	18_3_25C656C9
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25C667CF push eax; ret	18_3_25C66801

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\verify.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\readme.txt

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF4A277 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

2_2_6CF4A277

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Name, Model, InterfaceType, MediaType, Size, SerialNumber from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_04F4D706 sldt cx

0_2_04F4D706

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\verify.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

API coverage: 3.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe TID: 6388

Thread sleep time: -60000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Version,Name,Manufacturer from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber,Version,Vendor,Name from Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004192F3 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	0_2_004192F3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4EFE1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	2_2_6CF4CA9B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50B33
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	2_2_6CF4C775
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50702
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF17C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF17C6D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4FD86
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F8B5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F40B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402963 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	16_2_00402963

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF76C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

2_2_6CF76C74

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: lNo virtualization detectedPower full partitionPower KVM virtualizationPowerVM virtualizationHyperV virtualizationVMWare virtualizationKVM virtualizationXen hardware-assisted virtualizationx/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fVirtualMachineError.java
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Copyright (C) 2009 VMware, Inc. All Rights Reserved.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: java/lang/VirtualMachineError
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i[Ljava/lang/VirtualMachineError;
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rjava/lang/VirtualMachineError
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: l{constant pool}CodeCache Oops C-heap JNIHandles MetaspaceAux SystemDictionary CodeCache StringTable SymbolTable Heap Threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classDelayed StackOverflowError due to ReservedStackAccess annotated methodC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: VMWare virtualization

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_00421383 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00421383

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF76C74 VirtualProtect ?,-00000001,00000104,?

2_2_6CF76C74

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_00428332

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_0041EA2A GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__amsg_exit,

0_2_0041EA2A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00421383 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421383
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00418D3B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00418D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00428F59 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_LocaleUpdate::_LocaleUpdate,__isctype_l,	0_2_00428F59
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0003927C SetUnhandledExceptionFilter,	2_2_0003927C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00038C30 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_00038C30
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF7ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	2_2_6CF7ADFC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF00807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_6CF00807
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF7C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_6CF7C16F
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402468 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00402468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_0040C1BF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040C1BF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405E68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00405E68

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713608944217-1"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\windowslauncher.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49722 127.0.0.1 49723 restricted
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\windowslauncher.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_004287F1 cpuid

0_2_004287F1

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: GetLocaleInfoA,	0_2_0042B9B3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	2_2_6CF0888A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	2_2_6CF065F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	2_2_6CF085AC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	2_2_6CF0871C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6CF7F42E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_6CF7F0DB
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,	2_2_6CF7F034
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,	2_2_6CF7F136
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6CF7F3C7
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,	2_2_6CF7F307
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: GetLocaleInfoA,	16_2_0040E828

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Queries volume information: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-JWrapper-00102236230-complete\nativesplash.png VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_0041B9E8 __invoke_watson,GetSystemTimeAsFileTime,__aulldiv,GetTimeZoneInformation,__aulldiv,__aullrem,__aulldiv,

0_2_0041B9E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_00409D0C _getenv,GetUserNameA,_strlen,_memset,_sprintf,_strlen,_strlen,_malloc,

0_2_00409D0C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_0041B9E8 __invoke_watson,GetSystemTimeAsFileTime,__aulldiv,GetTimeZoneInformation,__aulldiv,__aullrem,__aulldiv,

0_2_0041B9E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_0041EA2A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.75.205.129	help.tkfast.com	United States		13754	TKFASTUS	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
help.tkfast.com	208.75.205.129	true

Contacted URLs

Name	Malicious	Reputation
http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998	true	unknown
http://help.tkfast.com/simplehelpdisclaimer.txt?language=en	true	unknown
http://help.tkfast.com/branding/brandingfiles?a=3	true	unknown
http://help.tkfast.com/simplehelpdetails.txt	true	unknown
http://help.tkfast.com/customer/JWrapper-Remote%20Support-version.txt	true	unknown
http://help.tkfast.com/server_side_parameters	true	unknown
http://help.tkfast.com/branding/branding.properties?a=3	true	unknown
http://help.tkfast.com/customer/JWrapper-JWrapper-version.txt	true	unknown
http://help.tkfast.com/availableports	true	unknown
http://help.tkfast.com/branding/applet_splash.png?a=3	true	unknown
http://help.tkfast.com/translations_user/en.txt	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

ReversingLabs: Detection: 31%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	EXE: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\readme.txt

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdbi source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639716947.000000006CB01000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, unpack200.exe, 00000002.00000002.2115828197.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.2130779590.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.2137963953.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.2149805166.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000006.00000002.2170744753.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.2186803365.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnio\nio.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642273328.000000006E0F7000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\Users\gchristelis\Documents\Visual Studio 2008\Projects\cad\Release\cad.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnet\net.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642630346.000000006E38D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libjava\java.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdbp\|l source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdbI source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\jenkins\workspace\zulu8-build-win32\release\hotspot\windows_i486_compiler1\product\jvm.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libverify\verify.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643837886.0000000073A96000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb8n source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004192F3 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	0_2_004192F3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4EFE1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	2_2_6CF4CA9B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50B33
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	2_2_6CF4C775
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50702
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF17C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF17C6D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4FD86
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F8B5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F40B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402963 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	16_2_00402963

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 4x nop then cmp eax, dword ptr [ecx+04h]	0_2_04F47BD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 4x nop then add byte ptr [edi], dh	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 4x nop then push esi	2_2_6CEFF640

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.5:49710 -> 208.75.205.129:80
Source: Traffic	Snort IDS: 2049863 ET TROJAN SimpleHelp Remote Access Software Activity 192.168.2.5:49709 -> 208.75.205.129:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /availableports HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_004057B4

Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Windows32JRE-version.txt?time=4211847998 HTTP/1.1User-Agent: JWrapperDownloaderHost: help.tkfast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-Remote%20Support-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /customer/JWrapper-JWrapper-version.txt HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /server_side_parameters HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /translations_user/en.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/brandingfiles?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/applet_splash.png?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /branding/branding.properties?a=3 HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdisclaimer.txt?language=en HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /simplehelpdetails.txt HTTP/1.1Cache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /availableports HTTP/1.1User-Agent: Mozilla/15.0 (Macintosh; Intel Mac OS X 110_9_9) AppleWebKit/1537.36 (KHTML, like Gecko) Chrome/145.0.2272.118 Safari/1537.36Host: help.tkfast.comAccept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: unknown

DNS traffic detected: queries for: help.tkfast.com

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617618805.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000000.2060182249.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007468000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C6F4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617618805.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000000.2060182249.0000000000438000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.0.254.254%lu
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantrn2
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizenal/im
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: Remote Support.exe	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverXM=
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.apple.com/root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/sureobject.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zuludocs/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.azul.com/zulu/zulurelnotes/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000071B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/2
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.000000000235A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.000000000238B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.000000000709D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000070BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C63E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-JWrapper-version.txt
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007152000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.0000000007468000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C6F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Remote
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2627362976.00000000071B3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C63E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Remote%20Support-version.txt
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=42118479983
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595218461.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998R
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595218461.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998f
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/JWrapper-Windows32JRE-version.txt?time=4211847998l
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customer/jwstat_app_dirC:
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621948692.000000000289A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.tkfast.com/customerjwdyna_wrapper_gu_versions2jwdyna_languageenjwdyna_skip_system_jre1jw
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/%(
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdTDP
Source: Remote Support.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: Remote Support.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: Remote Support.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://localhost/shtarget.txt
Source: unpack200.exe, 00000002.00000003.2110958166.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110634912.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111347581.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110815096.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111201818.0000000001736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa
Source: unpack200.exe, 00000002.00000003.2110958166.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110634912.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111347581.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2110815096.0000000001736000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2111201818.0000000001736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apa.org/POM/4.0.0
Source: unpack200.exe, 00000002.00000003.2114514695.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0?
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openjdk.java.net/legal/exception-modules-2007-05-08.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2620409954.0000000002412000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.tsx.org
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/appleca0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azul.com/license/zulu_third_party_licenses.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2630972193.000000000C569000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/support/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.azulsystems.com/support/-XX:FlightRecorderOptions-XX:StartFlightRecordingVM
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.azulsystems.com/support/java.vendor.url.bughttp://www.azulsystems.com/java.vendor.urlAzul
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org/license.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.txt
Source: Remote Support.exe	String found in binary or memory: http://www.kitfox.com/jackal/jackal.jar
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/policies-guidelines/ipr
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitl
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth/internC
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimiter/XM7
Source: Remote Support.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitaE
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/dom-node
Source: Remote Support.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zulu.org/forum
Source: unpack200.exe, 00000002.00000003.2114458117.0000000001691000.00000004.00000020.00020000.00000000.sdmp, unpack200.exe, 00000002.00000003.2114514695.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maven.apache.org/xsd/maven-4.0.0.xsd
Source: unpack200.exe, 00000011.00000003.2501534408.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pdfbox.apache.org/download.cgi
Source: unpack200.exe, 00000011.00000003.2501534408.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pdfbox.apache.org/download.cgissociated
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624127226.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002913000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003707000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.0000000003716000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2625950509.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.whoishostingthis.com/tools/user-agent/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe			Jump to behavior

Installs a global mouse hook

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Jump to dropped file

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00423630	0_2_00423630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00401EF7	0_2_00401EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042F0D0	0_2_0042F0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041A8FC	0_2_0041A8FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041D885	0_2_0041D885
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041E0B1	0_2_0041E0B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00431150	0_2_00431150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0043115B	0_2_0043115B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00431166	0_2_00431166
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042C933	0_2_0042C933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004369D0	0_2_004369D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004209E1	0_2_004209E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042E232	0_2_0042E232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0040F2F0	0_2_0040F2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004162A5	0_2_004162A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042C3F1	0_2_0042C3F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0043146C	0_2_0043146C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434CC0	0_2_00434CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004204E0	0_2_004204E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041DC91	0_2_0041DC91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041D4B1	0_2_0041D4B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042D539	0_2_0042D539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434DC0	0_2_00434DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0042CE75	0_2_0042CE75
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041FEC2	0_2_0041FEC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00434F00	0_2_00434F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_0041CFDE	0_2_0041CFDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004117A0	0_2_004117A0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00029809	2_2_00029809
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000220DE	2_2_000220DE
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002126C	2_2_0002126C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002797C	2_2_0002797C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000281D3	2_2_000281D3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00023A11	2_2_00023A11
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002AAD8	2_2_0002AAD8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_000214A6	2_2_000214A6
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00022493	2_2_00022493
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00021DD5	2_2_00021DD5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002A637	2_2_0002A637
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00023653	2_2_00023653
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0002C654	2_2_0002C654
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF06E24	2_2_6CF06E24
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF06E28	2_2_6CF06E28
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF66E18	2_2_6CF66E18
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF20919	2_2_6CF20919
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF80915	2_2_6CF80915
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF3EB1A	2_2_6CF3EB1A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF08468	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF145AE	2_2_6CF145AE
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF967FF	2_2_6CF967FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6E7F1	2_2_6CF6E7F1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CEF21F0	2_2_6CEF21F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0A1DD	2_2_6CF0A1DD
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF64159	2_2_6CF64159
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF622CD	2_2_6CF622CD
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0828B	2_2_6CF0828B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4A277	2_2_6CF4A277
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF88220	2_2_6CF88220
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0839B	2_2_6CF0839B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF81CEF	2_2_6CF81CEF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF09C8E	2_2_6CF09C8E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF03DB1	2_2_6CF03DB1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF07D20	2_2_6CF07D20
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF05E20	2_2_6CF05E20
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6F8BA	2_2_6CF6F8BA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF69877	2_2_6CF69877
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF83968	2_2_6CF83968
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF91AE0	2_2_6CF91AE0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF97B2A	2_2_6CF97B2A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF03B1D	2_2_6CF03B1D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6D43B	2_2_6CF6D43B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF035FA	2_2_6CF035FA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF075C1	2_2_6CF075C1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF096C9	2_2_6CF096C9
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF996A7	2_2_6CF996A7
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF05795	2_2_6CF05795
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF8D754	2_2_6CF8D754
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6B723	2_2_6CF6B723
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF631BA	2_2_6CF631BA
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF6516D	2_2_6CF6516D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF1911E	2_2_6CF1911E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF99295	2_2_6CF99295
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF07210	2_2_6CF07210
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00408105	16_2_00408105
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405590	16_2_00405590
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00404F6B	16_2_00404F6B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_004063E1	16_2_004063E1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80479	18_3_25D80479
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D80C26	18_3_25D80C26
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25CDCC96	18_3_25CDCC96
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43A4C	18_3_25D43A4C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25D43679	18_3_25D43679

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe 14F684600450CDBCDBA40A554DA7F96E7756B5733B4854F5B30B9A35D26CBA4B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 0040A137 appears 406 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 0040E710 appears 185 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 00420484 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: String function: 00418EEA appears 40 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF00934 appears 74 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF0A455 appears 38 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 000214BA appears 34 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF0B69A appears 61 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: String function: 6CF00950 appears 152 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: String function: 00405530 appears 41 times
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: String function: 00402112 appears 42 times

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal69.rans.spyw.evad.winEXE@34/259@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_004092EF GetLastError,FormatMessageA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,LocalFree,LocalFree,LocalFree,

0_2_004092EF

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF4D3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,

2_2_6CF4D3BB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

ReversingLabs: Detection: 31%

Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: unpack200.exe	String found in binary or memory: (For more information, run %s --help .)
Source: Remote Support.exe	String found in binary or memory: !ULcom/kitfox/svg/Stop;
Source: Remote Support.exe	String found in binary or memory: !ULcom/kitfox/svg/Stop;
Source: Remote Support.exe	String found in binary or memory: acom/kitfox/svg/Stop
Source: Remote Support.exe	String found in binary or memory: acom/kitfox/svg/Stop
Source: Remote Support.exe	String found in binary or memory: '5*?marker-starty

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: glu32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: opengl32.dll
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Section loaded: glu32.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Static file information: File size 28436544 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\MSVCR100.dll

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdbi source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe, 00000002.00000002.2115296330.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000003.00000000.2116800779.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000004.00000000.2132208590.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000005.00000002.2149243996.000000000003B000.00000002.00000001.01000000.00000008.sdmp, unpack200.exe, 00000006.00000000.2150882392.000000000003B000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639716947.000000006CB01000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, unpack200.exe, 00000002.00000002.2115828197.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000003.00000002.2130779590.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000004.00000002.2137963953.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000005.00000002.2149805166.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000006.00000002.2170744753.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp, unpack200.exe, 00000007.00000002.2186803365.000000006CEF1000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnio\nio.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642273328.000000006E0F7000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\Users\gchristelis\Documents\Visual Studio 2008\Projects\cad\Release\cad.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libnet\net.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642630346.000000006E38D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libjava\java.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643067107.000000006E473000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libfontmanager\fontmanager.pdbp\|l source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638487863.000000006C7B1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libzip\zip.pdbI source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643472222.00000000733FB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\jenkins\workspace\zulu8-build-win32\release\hotspot\windows_i486_compiler1\product\jvm.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libverify\verify.pdb source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643837886.0000000073A96000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\jenkins\workspace\zulu8-build-win32\release\jdk\objs\libawt\awt.pdb8n source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639279375.000000006CA6A000.00000002.00000001.01000000.00000011.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_00428332

PE file contains an invalid checksum

Source: utils_wnative_winpty_intel-64.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x38241
Source: jjs.exe.0.dr	Static PE information: real checksum: 0x1152d should be: 0x10b62
Source: shcad.exe.0.dr	Static PE information: real checksum: 0x13bcf should be: 0x2dd75
Source: jvm.dll.0.dr	Static PE information: real checksum: 0x3cb144 should be: 0x3d6baa
Source: javaw.exe.0.dr	Static PE information: real checksum: 0x2ec38 should be: 0x30369
Source: winpty-agent.exe.0.dr	Static PE information: real checksum: 0x3dddd should be: 0x4267d
Source: utils_wnative_dxgi_intel-64.dll.0.dr	Static PE information: real checksum: 0x26d83 should be: 0x27976
Source: cadasuser.exe.0.dr	Static PE information: real checksum: 0x15750 should be: 0x2c5c2
Source: Remote SupportWinLauncher.exe.0.dr	Static PE information: real checksum: 0x58e43 should be: 0x8e480
Source: utils_wnative_intel-32.dll.0.dr	Static PE information: real checksum: 0x38c46 should be: 0x39518
Source: simplehelper64.exe.0.dr	Static PE information: real checksum: 0x14642 should be: 0x15834
Source: SimpleService.exe.0.dr	Static PE information: real checksum: 0x1cc64 should be: 0x1e28d
Source: windowslauncher.exe.0.dr	Static PE information: real checksum: 0x270ff should be: 0x27a12
Source: jwutils_win32.dll.0.dr	Static PE information: real checksum: 0x26fe6 should be: 0x3664f
Source: utils_wnative_shpty_intel-64.dll.0.dr	Static PE information: real checksum: 0x18027 should be: 0x2697f
Source: utils_wnative_winpty_intel-32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x33d45
Source: utils_wnative_intel-64.dll.0.dr	Static PE information: real checksum: 0x3b2f0 should be: 0x3c0ae
Source: Remote Support.exe.0.dr	Static PE information: real checksum: 0x270ff should be: 0x27a12
Source: unpack200.exe.0.dr	Static PE information: real checksum: 0x2efbf should be: 0x2fbf1
Source: utils_wnative_dxgi_intel-32.dll.0.dr	Static PE information: real checksum: 0x28f63 should be: 0x2a362
Source: winpty-agent64.exe.0.dr	Static PE information: real checksum: 0x4c96d should be: 0x4acd5
Source: session_win.exe.0.dr	Static PE information: real checksum: 0x18543 should be: 0x35d94
Source: java.exe.0.dr	Static PE information: real checksum: 0x36027 should be: 0x2fcd1
Source: pack200.exe.0.dr	Static PE information: real checksum: 0x1101a should be: 0x1274b
Source: java-rmi.exe.0.dr	Static PE information: real checksum: 0x9212 should be: 0x12ebb
Source: elev_win.exe.0.dr	Static PE information: real checksum: 0x19839 should be: 0x3cd17
Source: jwutils_win64.dll.0.dr	Static PE information: real checksum: 0x3aa5f should be: 0x44100
Source: simplehelper.exe.0.dr	Static PE information: real checksum: 0x16ea2 should be: 0x150fa
Source: utils_wnative_shpty_intel-32.dll.0.dr	Static PE information: real checksum: 0x1a02b should be: 0x2375a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4DEA push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4D09 push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_3_005C4DB9 push ss; ret	0_3_005C4F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004204C9 push ecx; ret	0_2_004204DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00426521 push 33000001h; retf	0_2_00426526
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00426623 push ebp; ret	0_2_00426624
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04F4E098 push cs; ret	0_2_04F4E0E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04F4524C pushad ; iretd	0_2_04F45271
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAD6F7 push 00000000h; mov dword ptr [esp], esp	0_2_04EAD721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAD6E0 push 00000000h; mov dword ptr [esp], esp	0_2_04EAD721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB6D6 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB747 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB739 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB76D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB8F6 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAA00A push ecx; ret	0_2_04EAA01A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAA01B push ecx; ret	0_2_04EAA025
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB1A9 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB1B7 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB967 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB146 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAB959 push 00000000h; mov dword ptr [esp], esp	0_2_04EAB98D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_04EAC277 push 00000000h; mov dword ptr [esp], esp	0_2_04EAC29D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00039555 push ecx; ret	2_2_00039568
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CEF2D80 push eax; ret	2_2_6CEF2D9E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF00995 push ecx; ret	2_2_6CF009A8
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF1A6AA push EF3FEFD4h; iretd	2_2_6CF1A6B1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF19CD8 pushad ; iretd	2_2_6CF19CE6
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF0BF60 push ecx; ret	2_2_6CF0BF73
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405575 push ecx; ret	16_2_00405588
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25C656C3 push eax; ret	18_3_25C656C9
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Code function: 18_3_25C667CF push eax; ret	18_3_25C66801

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\verify.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\readme.txt

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

2_2_6CF4A277

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Name, Model, InterfaceType, MediaType, Size, SerialNumber from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_PhysicalMemory
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MemoryErrorCorrection from Win32_PhysicalMemoryArray

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_04F4D706 sldt cx

0_2_04F4D706

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\SimpleService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\simplehelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\elev_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\shcad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_intel-64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\freetype.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\cadasuser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_dxgi_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\jwutils_win32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_shpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\session_win.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\utils_wnative_winpty_intel-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\Remote SupportWinLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\winpty-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\verify.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

API coverage: 3.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe TID: 6388

Thread sleep time: -60000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Version,Name,Manufacturer from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber,Version,Vendor,Name from Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_004192F3 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	0_2_004192F3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4EFE1
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50F84
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	2_2_6CF4CA9B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50B33
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	2_2_6CF4C775
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF50702
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF17C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF17C6D
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4FD86
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	2_2_6CF4DF35
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F8B5
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	2_2_6CF4DA38
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	2_2_6CF4D4FF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF4F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_6CF4F40B
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402963 FindFirstFileA,GetLastError,_strcpy_s,__invoke_watson,	16_2_00402963

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF76C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

2_2_6CF76C74

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\lib\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: lNo virtualization detectedPower full partitionPower KVM virtualizationPowerVM virtualizationHyperV virtualizationVMWare virtualizationKVM virtualizationXen hardware-assisted virtualizationx/
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fVirtualMachineError.java
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Copyright (C) 2009 VMware, Inc. All Rights Reserved.
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: java/lang/VirtualMachineError
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i[Ljava/lang/VirtualMachineError;
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2621298477.0000000002420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rjava/lang/VirtualMachineError
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2586710053.00000000049DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: l{constant pool}CodeCache Oops C-heap JNIHandles MetaspaceAux SystemDictionary CodeCache StringTable SymbolTable Heap Threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classDelayed StackOverflowError due to ReservedStackAccess annotated methodC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\jenkins\workspace\zulu8-build-win32\zulu-src\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2594911620.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2618199877.000000000060A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2595440435.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640628576.000000006CEA0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: VMWare virtualization

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_00421383 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00421383

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe

Code function: 2_2_6CF76C74 VirtualProtect ?,-00000001,00000104,?

2_2_6CF76C74

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_00428332

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_0041EA2A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00421383 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421383
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00418D3B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00418D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: 0_2_00428F59 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_LocaleUpdate::_LocaleUpdate,__isctype_l,	0_2_00428F59
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_0003927C SetUnhandledExceptionFilter,	2_2_0003927C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_00038C30 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_00038C30
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF7ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	2_2_6CF7ADFC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF00807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_6CF00807
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: 2_2_6CF7C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_6CF7C16F
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00402468 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00402468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_0040C1BF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040C1BF
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: 16_2_00405E68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00405E68

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe" "-Xshare:dump"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\unpack200.exe" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx512m -Xms5m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Dsun.awt.fontconfig=fontconfig.properties jwrapper.JWrapper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\unrestricted\JWLaunchProperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\windowslauncher.exe" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper" -cp "C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete\customer-jar-with-dependencies.jar" -Xmx128m -Xms5m -Dsun.java2d.dpiaware=true "-Djava.library.path=C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Remote Support-00102236241-complete" com.aem.sdesktop.util.MouseMover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713608944217-1"
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\windowslauncher.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49722 127.0.0.1 49723 restricted
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\crs-agent.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\charsets.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\jsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\jaccess.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\access-bridge-32.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\openjsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\legacy8ujsse.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\cldrdata.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunmscapi.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608892-0-app\lib\ext\sunpkcs11.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\unpack200.exe" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar.p2" "c:\users\user\appdata\roaming\jwrapper-remote support\jwrappertemp-1713608830-0-app\customer-jar-with-dependencies.jar"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\remote support.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx512m -xms5m -xx:minheapfreeratio=15 -xx:maxheapfreeratio=30 -djava.util.arrays.uselegacymergesort=true -djava.net.preferipv4stack=true -dsun.java2d.dpiaware=true -dhttps.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3 -dsun.awt.fontconfig=fontconfig.properties jwrapper.jwrapper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\unrestricted\jwlaunchproperties-1713608944217-1"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Remote Support.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\windowslauncher.exe" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49722 127.0.0.1 49723 restricted	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Process created: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-Windows32JRE-00084000053-complete\bin\Session Elevation Helper "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-windows32jre-00084000053-complete\bin\session elevation helper" -cp "c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete\customer-jar-with-dependencies.jar" -xmx128m -xms5m -dsun.java2d.dpiaware=true "-djava.library.path=c:\users\user\appdata\roaming\jwrapper-remote support\jwrapper-remote support-00102236241-complete" com.aem.sdesktop.util.mousemover 127.0.0.1 49726 127.0.0.1 49727 restricted_backup

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_004287F1 cpuid

0_2_004287F1

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe	Code function: GetLocaleInfoA,	0_2_0042B9B3
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	2_2_6CF0888A
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	2_2_6CF08468
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	2_2_6CF065F0
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	2_2_6CF085AC
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	2_2_6CF0871C
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6CF7F42E
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_6CF7F0DB
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,	2_2_6CF7F034
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,	2_2_6CF7F136
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6CF7F3C7
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\unpack200.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,	2_2_6CF7F307
Source: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapperTemp-1713608892-0-app\bin\windowslauncher.exe	Code function: GetLocaleInfoA,	16_2_0040E828

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Queries volume information: C:\Users\user\AppData\Roaming\JWrapper-Remote Support\JWrapper-JWrapper-00102236230-complete\nativesplash.png VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_0041B9E8 __invoke_watson,GetSystemTimeAsFileTime,__aulldiv,GetTimeZoneInformation,__aulldiv,__aullrem,__aulldiv,

0_2_0041B9E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_00409D0C _getenv,GetUserNameA,_strlen,_memset,_sprintf,_strlen,_strlen,_malloc,

0_2_00409D0C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Code function: 0_2_0041B9E8 __invoke_watson,GetSystemTimeAsFileTime,__aulldiv,GetTimeZoneInformation,__aulldiv,__aullrem,__aulldiv,

0_2_0041B9E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

0_2_0041EA2A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1429051
Product:	CloudBasic
Start time:	12:26:16
Start date:	20.04.2024
Sample:	SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f02aaaf0d308cf00b19cd2ee4f389ac5
SHA1:	dd2fa4b5d4b10a33551ba682b5e9d1dddbe127c5
SHA256:	cf78a3bb1b9513d9c31bde6e6e36860570cd7d192f1a862c8545ea2d2df11c38
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642352482.000000006E0FD000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamenio.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2644062264.0000000073A9A000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameverify.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.000000000495F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639016013.000000006C850000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamefreetype.dll2 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639016013.000000006C850000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamefreetype.dllD vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2626455876.0000000004D95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.00000000048ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2639542740.000000006CAD1000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenameawt.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004583000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643211843.000000006E47E000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamejava.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2482777417.000000000458D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642835801.000000006E393000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamenet.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617904587.000000000045A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2617730763.000000000044B000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2624929551.0000000004177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2622332731.0000000002948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2638642120.000000006C7C9000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamefontmanager.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2640071629.000000006CBB9000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2583821417.0000000004911000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2642031705.000000006CF68000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamejvm.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2643552224.0000000073402000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamezip.dll8 vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000002.2623598899.0000000002FC4000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Source: SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe, 00000000.00000003.2081067787.000000000372F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename t) vs SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe