Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe
Analysis ID:1632382
MD5:5baff22318ad7ceee337d63ca6d6a3af
SHA1:9a4b56b11097da29d194f665974353880cd71df8
SHA256:e415a56982e74d76e039f90d2c946115d892c8b264ebb07f93232e981a74f7c2
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe" MD5: 5BAFF22318AD7CEEE337D63CA6D6A3AF)
    • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5696 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7256 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7748 cmdline: schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • COM Surrogate.exe (PID: 7796 cmdline: "C:\Program Files\runtime\COM Surrogate.exe" MD5: D8B16BCAB478B23BD67790745BC39575)
      • cmd.exe (PID: 8076 cmdline: cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • COM Surrogate.exe (PID: 7824 cmdline: "C:\Program Files\runtime\COM Surrogate.exe" MD5: D8B16BCAB478B23BD67790745BC39575)
    • cmd.exe (PID: 8060 cmdline: cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ParentProcessId: 7100, ParentProcessName: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", ProcessId: 5696, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ParentProcessId: 7100, ParentProcessName: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", ProcessId: 5696, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ParentProcessId: 7100, ParentProcessName: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", ProcessId: 5696, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T23:13:18.617119+010028308981A Network Trojan was detected192.168.2.44972134.248.109.211443TCP
2025-03-07T23:13:19.197767+010028308981A Network Trojan was detected192.168.2.44972234.248.109.211443TCP
2025-03-07T23:13:21.434131+010028308981A Network Trojan was detected192.168.2.44972334.248.109.211443TCP
2025-03-07T23:13:22.001414+010028308981A Network Trojan was detected192.168.2.44972434.248.109.211443TCP
2025-03-07T23:13:24.429584+010028308981A Network Trojan was detected192.168.2.44972534.248.109.211443TCP
2025-03-07T23:13:24.832573+010028308981A Network Trojan was detected192.168.2.44972634.248.109.211443TCP
2025-03-07T23:13:55.077620+010028308981A Network Trojan was detected192.168.2.44973134.248.109.211443TCP
2025-03-07T23:13:55.261433+010028308981A Network Trojan was detected192.168.2.44973234.248.109.211443TCP
2025-03-07T23:13:57.950278+010028308981A Network Trojan was detected192.168.2.44973334.248.109.211443TCP
2025-03-07T23:13:58.041289+010028308981A Network Trojan was detected192.168.2.44973434.248.109.211443TCP
2025-03-07T23:14:00.831126+010028308981A Network Trojan was detected192.168.2.44973534.248.109.211443TCP
2025-03-07T23:14:01.032689+010028308981A Network Trojan was detected192.168.2.44973634.248.109.211443TCP
2025-03-07T23:14:04.235432+010028308981A Network Trojan was detected192.168.2.44973734.248.109.211443TCP
2025-03-07T23:14:04.304098+010028308981A Network Trojan was detected192.168.2.44973834.248.109.211443TCP
2025-03-07T23:14:07.164169+010028308981A Network Trojan was detected192.168.2.44973934.255.243.225443TCP
2025-03-07T23:14:07.233303+010028308981A Network Trojan was detected192.168.2.44974034.255.243.225443TCP
2025-03-07T23:14:09.922771+010028308981A Network Trojan was detected192.168.2.44974134.255.243.225443TCP
2025-03-07T23:14:10.007731+010028308981A Network Trojan was detected192.168.2.44974234.255.243.225443TCP
2025-03-07T23:14:18.542963+010028308981A Network Trojan was detected192.168.2.44974334.255.243.225443TCP
2025-03-07T23:14:19.064049+010028308981A Network Trojan was detected192.168.2.44974434.255.243.225443TCP
2025-03-07T23:14:21.945728+010028308981A Network Trojan was detected192.168.2.44974534.255.243.225443TCP
2025-03-07T23:14:22.622557+010028308981A Network Trojan was detected192.168.2.44974634.255.243.225443TCP
2025-03-07T23:14:24.753750+010028308981A Network Trojan was detected192.168.2.44974734.255.243.225443TCP
2025-03-07T23:14:25.574403+010028308981A Network Trojan was detected192.168.2.44974834.255.243.225443TCP
2025-03-07T23:14:33.397952+010028308981A Network Trojan was detected192.168.2.44974934.255.243.225443TCP
2025-03-07T23:14:34.159725+010028308981A Network Trojan was detected192.168.2.44975034.255.243.225443TCP
2025-03-07T23:14:36.285404+010028308981A Network Trojan was detected192.168.2.44975134.255.243.225443TCP
2025-03-07T23:14:37.048728+010028308981A Network Trojan was detected192.168.2.44975234.255.243.225443TCP
2025-03-07T23:14:39.131368+010028308981A Network Trojan was detected192.168.2.44975334.255.243.225443TCP
2025-03-07T23:14:39.911758+010028308981A Network Trojan was detected192.168.2.44975434.255.243.225443TCP
2025-03-07T23:14:48.432101+010028308981A Network Trojan was detected192.168.2.44975534.255.243.225443TCP
2025-03-07T23:14:49.011488+010028308981A Network Trojan was detected192.168.2.44975634.255.243.225443TCP
2025-03-07T23:14:51.214173+010028308981A Network Trojan was detected192.168.2.44975734.255.243.225443TCP
2025-03-07T23:14:51.789839+010028308981A Network Trojan was detected192.168.2.44975834.255.243.225443TCP
2025-03-07T23:14:53.985145+010028308981A Network Trojan was detected192.168.2.44975934.255.243.225443TCP
2025-03-07T23:14:54.683820+010028308981A Network Trojan was detected192.168.2.44976034.255.243.225443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://pulseon.top/f/precovery.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Program Files\runtime\COM Surrogate.exeReversingLabs: Detection: 28%
Source: C:\Program Files\runtime\prq3461g5v1ru6r2.exeReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeVirustotal: Detection: 25%Perma Link
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F991E00 _time64,srand,memset,printf,__acrt_iob_func,fgets,printf,printf,printf,BCryptGenRandom,BCryptGenRandom,free,printf,printf,memset,GetModuleFileNameA,rand,printf,getchar,getchar,malloc,strcpy_s,fopen_s,fwrite,fwrite,rand,malloc,BCryptGenRandom,free,fclose,free,free,free,fwrite,free,fwrite,fclose,free,free,printf,CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,free,printf,system,free,free,free,GetConsoleWindow,GetWindowLongW,SetWindowLongW,ShowWindow,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,SleepEx,memset,GetModuleFileNameA,fopen_s,fseek,ftell,fseek,fread,fclose,malloc,fseek,fread,free,fclose,fclose,free,memset,GetEnvironmentVariableA,strcat_s,CreateDirectoryA,memset,fopen_s,printf,free,fwrite,fclose,free,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,DeleteFileA,0_2_00007FF66F991E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeDirectory created: C:\Program Files\runtimeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeDirectory created: C:\Program Files\runtime\COM Surrogate.exeJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeDirectory created: C:\Program Files\runtime\prq3461g5v1ru6r2.exeJump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\q\Desktop\HAZARD\P3\bigDawg - Copy\x64\Release\bigDawg.pdb source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49726 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49725 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49723 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49721 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49724 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49722 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49738 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49735 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49732 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49739 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49745 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49741 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49744 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49743 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49753 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49742 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49731 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49748 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49734 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49736 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49756 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49759 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49737 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49733 -> 34.248.109.211:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49749 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49740 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49755 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49750 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49746 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49751 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49754 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49752 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49747 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49757 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49760 -> 34.255.243.225:443
Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.4:49758 -> 34.255.243.225:443
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 94.156.227.9:8008
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: ip-api.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /f/precovery.exe HTTP/1.1Host: pulseon.topUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /f/precovery.exe HTTP/1.1Host: pulseon.topUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /rootg2.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.rootg2.amazontrust.com
Source: global trafficHTTP traffic detected: GET /rootg2.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.rootg2.amazontrust.com
Source: global trafficHTTP traffic detected: GET /x.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x.ss2.us
Source: global trafficHTTP traffic detected: GET /x.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x.ss2.us
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficDNS traffic detected: DNS query: wheretopulse.in
Source: global trafficDNS traffic detected: DNS query: checkip.amazonaws.com
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: pulseon.top
Source: global trafficDNS traffic detected: DNS query: crt.rootg2.amazontrust.com
Source: global trafficDNS traffic detected: DNS query: x.ss2.us
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, 00000000.00000003.1369933130.000001B304AC6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000000.1371519611.000000000123D000.00000002.00000001.01000000.00000007.sdmp, COM Surrogate.exe, 0000000E.00000002.3049360217.000000000123D000.00000002.00000001.01000000.00000007.sdmp, COM Surrogate.exe.0.drString found in binary or memory: http://FirefoxUnknown1.1.1.1TuesdayJanuaryOctoberMUI_StdMUI_DltUpgradeupgradeCONNECT19531259765625SH
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA7C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538597189.000001557BA79000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA7C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538597189.000001557BA79000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539399344.00000155549C3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823488283.00000155549C4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.14.drString found in binary or memory: http://certificates.starfieldtech.com/repository/root.crl0Q
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539399344.00000155549C3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823488283.00000155549C4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.14.drString found in binary or memory: http://certificates.starfieldtech.com/repository0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538597189.000001557BA79000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0003F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m03.amazontrust.com/r2m03.crl
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000000000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000C8000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054693768.000000C000507000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054355530.000000C0004AE000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m03.amazontrust.com/r2m03.crl0u
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m03.amazontrust.com/r2m03.crlhttp://ocsp.r2m03.amazontrust.com
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0003F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m03.amazontrust.com/r2m03.crlhttp://ocsp.r2m03.amazontrust.comhttp://crt.r2m03.amazontr
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000085000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000082000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003F0000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823509273.00000155549D3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538733164.00000155549D0000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2510278909.0000023ED5AE7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000072000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5AEB000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538886242.0000023EFC7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3056224496.0000023EFC853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0003F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m03.amazontrust.com/r2m03.cer
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000000000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000C8000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054693768.000000C000507000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054355530.000000C0004AE000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m03.amazontrust.com/r2m03.cer0
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m03.amazontrust.com/r2m03.cerhttp://ocsp.rootca1.amazontrust.comcomhttp://crt.rootca1.a
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m03.amazontrust.com/r2m03.cerhttp://ocsp.rootca1.amazontrust.comr2http://crt.rootca1.am
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000085000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000082000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, DABA17F5E36CBE65640DD2FE24F104E70.13.drString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer.
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003F0000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823509273.00000155549D3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538733164.00000155549D0000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2510278909.0000023ED5AE7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000072000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5AEB000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cerhttp://crl.rootg2.amazontrust.com/rootg2.crl
Source: COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cero
Source: COM Surrogate.exe, 0000000D.00000003.2537550449.000001557BA90000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2537364321.000001557BA90000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2537669419.000001557BA90000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2536431762.000001557BA8F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Lows
Source: COM Surrogate.exe, 0000000D.00000002.2823341980.0000015554934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: COM Surrogate.exe, 0000000D.00000002.2823450148.000001555497A000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054895183.0000023ED5A30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823450148.000001555497A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab=
Source: COM Surrogate.exe, 0000000E.00000003.2536739528.0000023EFC77F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?994e4501d42a8
Source: COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK
Source: COM Surrogate.exe, 0000000E.00000002.3054895183.0000023ED5A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en3h#
Source: COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?994e4501d4
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00012C000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000354000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0002CA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=country
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0001E1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=country666666666666S
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0001E1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=country666666666666SELECT
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003CE000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0002AE000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2822162549.000000C000380000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000396000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0002CA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countrySELECT
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countrySending
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000354000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryWbemScripting.SWbemLocator
Source: COM Surrogate.exe, 0000000D.00000002.2823066867.000000C000482000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2822162549.000000C000300000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryWbemScripting.SWbemLocatorSELECT
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00012C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryWbemScripting.SWbemLocatoro
Source: COM Surrogate.exe, 0000000D.00000002.2824610565.000001557BB4F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824184470.000001557B9F5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2913037288.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2592149212.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041828572.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055020206.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2891952308.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2741775674.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, DABA17F5E36CBE65640DD2FE24F104E7.13.drString found in binary or memory: http://o.ss2.us/0
Source: COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/1.3.6.1.5.5.7.48.2http://x.ss2.us/x.cer:u
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0002F2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/US040629173916Z
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0002F2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/US040629173916Z340629173916ZUS
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C0003F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m03.amazontrust.com
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000000000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000C8000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054693768.000000C000507000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054355530.000000C0004AE000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m03.amazontrust.com06
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000085000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AD7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000082000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.comhttp://crt.rootca1.amazontrust.com/rootca1.cerhttp://crl.rootca1.
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003F0000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823509273.00000155549D3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823066867.000000C0004A2000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538733164.00000155549D0000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000278000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2510278909.0000023ED5AE7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000072000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C00027E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5AEB000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com1.3.6.1.5.5.7.48.2http://crt.rootg2.amazontrust.com/rootg2.cer
Source: COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com1.3.6.1.5.5.7.48.2http://crt.rootg2.amazontrust.com/rootg2.cer4
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.comI
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C0001B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.comv1ru6r2.exe
Source: COM Surrogate.exe, 0000000D.00000003.2538733164.00000155549F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtech.com
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539399344.00000155549C3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823488283.00000155549C4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.14.drString found in binary or memory: http://ocsp.starfieldtech.com0J
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA8F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824441785.000001557BA8F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539860438.0000023EFC858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538500830.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA34000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000094000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.ss2.us/r.crl
Source: COM Surrogate.exe, 0000000D.00000002.2824610565.000001557BB4F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824184470.000001557B9F5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2913037288.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2592149212.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041828572.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055020206.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2891952308.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2741775674.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, DABA17F5E36CBE65640DD2FE24F104E7.13.drString found in binary or memory: http://s.ss2.us/r.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA34000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA27000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539837012.0000023EFCC72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538597189.000001557BA79000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538500830.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539442019.000001557BA08000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2591642821.0000023EFCCCC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2614731679.0000023EFCCCC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2912939040.0000023EFCCC8000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2764822534.0000023EFCCCC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041678687.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041720483.0000023EFCCC8000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3056404899.0000023EFCCCC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2891632402.0000023EFCCC2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCBE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA8F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824441785.000001557BA8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC7B4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538886242.0000023EFC7B1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539121756.0000023EFC7B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538164903.000001557BB0C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538914657.0000023EFC7D3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539740803.0000023EFCCBC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCCBC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538164903.000001557BB0C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824591260.000001557BB15000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538266596.000001557BB13000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538747724.0000023EFC7DA000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538320408.000001557BAFC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538320408.000001557BAFC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538164903.000001557BB0C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538196997.000001557BB18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538597189.000001557BA79000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538747724.0000023EFC7DA000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539121756.0000023EFC797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
Source: COM Surrogate.exe, 0000000D.00000003.2539016752.000001557BA4E000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: COM Surrogate.exe, 0000000D.00000003.2539442019.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824321897.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054895183.0000023ED5A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: COM Surrogate.exe, 0000000D.00000003.2539442019.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824321897.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054895183.0000023ED5A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCCA3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539586788.0000023EFCCA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539071416.0000023EFC790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538164903.000001557BB0C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538747724.0000023EFC7DA000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BB00000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538320408.000001557BB02000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538291923.000001557BB01000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538452970.000001557BA7F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538886242.0000023EFC7B1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: COM Surrogate.exe, 0000000D.00000003.2539044100.000001557BA30000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539300564.0000023EFCCC3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539098381.0000023EFCCC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538618030.000001557BA69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539014525.0000023EFCCC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539399344.00000155549C3000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823488283.00000155549C4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823450148.000001555497A000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539881957.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539436263.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.14.drString found in binary or memory: http://www.valicert.com/1
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/
Source: COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/gs
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000094000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823450148.000001555497A000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527695902.0000023ED5B1D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E4160.14.drString found in binary or memory: http://x.ss2.us/x.cer
Source: COM Surrogate.exe, 0000000D.00000002.2824610565.000001557BB4F000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000096000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824184470.000001557B9F5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2913037288.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000046000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2592149212.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041828572.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055020206.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2891952308.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2741775674.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC763000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2537287280.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2527326446.0000023ED5AE5000.00000004.00000020.00020000.00000000.sdmp, DABA17F5E36CBE65640DD2FE24F104E7.13.drString found in binary or memory: http://x.ss2.us/x.cer0&
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cerhttp://s.ss2.us/r.crlAccess-Control-Max-AgeContent-DispositionIf-Unmodified-Sin
Source: COM Surrogate.exe, 0000000D.00000002.2819817923.000000C000094000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cerhttp://s.ss2.us/r.crlCoCreateInstanceGetUserDefaultLCIDSysAllocStringLenhP
Source: COM Surrogate.exe, 0000000D.00000002.2822162549.000000C0003FA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.com/
Source: COM Surrogate.exe.0.drString found in binary or memory: https://checkip.amazonaws.com/Eastern
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2539275123.000001557BA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: COM Surrogate.exe, 0000000E.00000002.3050934937.000000C000006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pulseon.top/f/precovery.exe
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538320408.000001557BAFC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538830490.0000023EFC7CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: COM Surrogate.exe, 0000000D.00000003.2538703165.000001557BA59000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539170099.0000023EFCCAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: COM Surrogate.exe, 0000000D.00000003.2538733164.00000155549D0000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
Source: COM Surrogate.exe, 0000000D.00000003.2538575297.000001557BAD1000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538950711.0000023EFC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: COM Surrogate.exe, 0000000D.00000003.2538871702.000001557BA37000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
Source: COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: COM Surrogate.exe, 0000000E.00000003.2539607828.0000023EFCC81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: COM Surrogate.exe, 0000000D.00000003.2538057231.000001557BAE2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2538113457.000001557BAF4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538776971.0000023EFC7C6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2538686992.0000023EFC7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: C:\Program Files\runtime\COM Surrogate.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7Jump to dropped file
Source: C:\Program Files\runtime\COM Surrogate.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F9910D00_2_00007FF66F9910D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F991E000_2_00007FF66F991E00
Source: Joe Sandbox ViewDropped File: C:\Program Files\runtime\prq3461g5v1ru6r2.exe BCF7B6BF4607C5D6874EBAF8719CCF3C3470625CF1854A753223CB783B1108C5
Source: classification engineClassification label: mal96.evad.winEXE@20/15@8/8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeFile created: C:\Program Files\runtimeJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwdcm0r0.kcb.ps1Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeVirustotal: Detection: 25%
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"
Source: unknownProcess created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: webio.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: webio.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeDirectory created: C:\Program Files\runtimeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeDirectory created: C:\Program Files\runtime\COM Surrogate.exeJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeDirectory created: C:\Program Files\runtime\prq3461g5v1ru6r2.exeJump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic file information: File size 6322961 > 1048576
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\q\Desktop\HAZARD\P3\bigDawg - Copy\x64\Release\bigDawg.pdb source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"Jump to behavior
Source: COM Surrogate.exe.0.drStatic PE information: section name: .xdata
Source: COM Surrogate.exe.0.drStatic PE information: section name: .symtab
Source: prq3461g5v1ru6r2.exe.14.drStatic PE information: section name: .fptable
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeFile created: C:\Program Files\runtime\COM Surrogate.exeJump to dropped file
Source: C:\Program Files\runtime\COM Surrogate.exeFile created: C:\Program Files\runtime\prq3461g5v1ru6r2.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeRegistry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2439Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7346Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeDropped PE file which has not been started: C:\Program Files\runtime\prq3461g5v1ru6r2.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 2439 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 7346 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe TID: 7880Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe TID: 7904Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe TID: 7904Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeFile opened: PHYSICALDRIVE0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeBinary or memory string: VMware
Source: COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC783000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2526891962.0000023EFC783000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2536739528.0000023EFC783000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW#|
Source: COM Surrogate.exe, 0000000D.00000003.2539442019.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2823341980.000001555490C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2536503386.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824321897.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2537392737.000001557BA10000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055771757.0000023EFC783000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2526891962.0000023EFC783000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2536739528.0000023EFC783000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3054895183.0000023ED5A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeBinary or memory string: HARDWARE\DESCRIPTION\SystemSystemManufacturerSystemProductNameVMwareVirtualBoxVirtual Machinerb[Error] Could not open file: %s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F9910D0 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,QueryPerformanceFrequency,QueryPerformanceCounter,SleepEx,QueryPerformanceCounter,memset,memset,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,strstr,strstr,strstr,strstr,RegCloseKey,0_2_00007FF66F9910D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F9910D0 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,QueryPerformanceFrequency,QueryPerformanceCounter,SleepEx,QueryPerformanceCounter,memset,memset,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,strstr,strstr,strstr,strstr,RegCloseKey,0_2_00007FF66F9910D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F993438 SetUnhandledExceptionFilter,0_2_00007FF66F993438
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F992A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF66F992A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F993294 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF66F993294

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "C:\Program Files\runtime\prq3461g5v1ru6r2.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F9910D0 cpuid 0_2_00007FF66F9910D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeQueries volume information: C:\Windows\System32\cmd.exe VolumeInformationJump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exeQueries volume information: C:\Windows\System32\cmd.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeCode function: 0_2_00007FF66F991E00 _time64,srand,memset,printf,__acrt_iob_func,fgets,printf,printf,printf,BCryptGenRandom,BCryptGenRandom,free,printf,printf,memset,GetModuleFileNameA,rand,printf,getchar,getchar,malloc,strcpy_s,fopen_s,fwrite,fwrite,rand,malloc,BCryptGenRandom,free,fclose,free,free,free,fwrite,free,fwrite,fclose,free,free,printf,CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,free,printf,system,free,free,free,GetConsoleWindow,GetWindowLongW,SetWindowLongW,ShowWindow,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,SleepEx,memset,GetModuleFileNameA,fopen_s,fseek,ftell,fseek,fread,fclose,malloc,fseek,fread,free,fclose,fclose,free,memset,GetEnvironmentVariableA,strcat_s,CreateDirectoryA,memset,fopen_s,printf,free,fwrite,fclose,free,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,DeleteFileA,0_2_00007FF66F991E00
Source: COM Surrogate.exe, 0000000E.00000003.3041564829.0000023EFC7BB000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041441948.0000023EFC7B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
Source: COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r\MsMpeng.exe
Source: COM Surrogate.exe, 0000000D.00000003.2285277974.0000015554981000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2285663014.0000015554981000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1841941019.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1392827243.0000023ED5A69000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1393289829.0000023ED5A77000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1392253052.0000023ED5A5D000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1932522977.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2561405099.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1932318549.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 0000000D.00000003.2371501087.000001557B9FE000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.1483797182.00000155549FC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2539067532.0000015554979000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2135432164.0000015554981000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2285559299.000001557B9FF000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2435824911.0000015554981000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.1483757050.00000155549F5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2371462458.000001557B9FA000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000002.2824184470.000001557B9D0000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.2079186641.00000155549F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 0000000D.00000003.1973219847.000001557B9E4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000D.00000003.1973064573.000001557B9E4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1484434241.0000023ED5B21000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.2592149212.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.3041828572.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000002.3055020206.0000023ED5B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
Source: COM Surrogate.exe, 0000000E.00000003.2231482189.0000023ED5AD4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1840346385.0000023ED5ADF000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 0000000E.00000003.1842248311.0000023ED5ADF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Scheduled Task/Job		11
Process Injection		3
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
DLL Side-Loading		1
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		Security Account Manager251
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets41
Virtualization/Sandbox Evasion		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem32
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632382 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 07/03/2025 Architecture: WINDOWS Score: 96 44 x.ss2.us 2->44 46 wheretopulse.in 2->46 48 7 other IPs or domains 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Antivirus detection for URL or domain 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 2 other signatures 2->68 9 SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe 3 2->9         started        13 COM Surrogate.exe 2 2->13         started        signatures3 process4 dnsIp5 40 C:\Program Files\runtime\COM Surrogate.exe, MS-DOS 9->40 dropped 70 Suspicious powershell command line found 9->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 9->72 74 Adds a directory exclusion to Windows Defender 9->74 76 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->76 16 powershell.exe 23 9->16         started        19 COM Surrogate.exe 1 3 9->19         started        22 schtasks.exe 1 9->22         started        24 conhost.exe 9->24         started        56 34.255.243.225, 443, 49739, 49740 AMAZON-02US United States 13->56 58 crt.rootg2.amazontrust.com 18.66.147.78, 49763, 49764, 80 MIT-GATEWAYSUS United States 13->58 42 C:\Program Files\...\prq3461g5v1ru6r2.exe, PE32+ 13->42 dropped 26 cmd.exe 1 13->26         started        file6 signatures7 process8 dnsIp9 60 Loading BitLocker PowerShell Module 16->60 28 WmiPrvSE.exe 16->28         started        30 conhost.exe 16->30         started        50 ip-api.com 208.95.112.1, 49727, 49728, 80 TUT-ASUS United States 19->50 52 wheretopulse.in 94.156.227.9, 49719, 49720, 8008 NETIXBG Bulgaria 19->52 54 4 other IPs or domains 19->54 32 cmd.exe 19->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 32->38         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.