Analysis Report KeJ7Cl7flZ.exe

Overview

General Information

Sample Name:	KeJ7Cl7flZ.exe
Analysis ID:	324174
MD5:	4e759849412063c6590936671ce4aa0e
SHA1:	40d132516cc4b9aa00dca2b2f068c439cf8f59c3
SHA256:	7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
Tags:	ArkeiStealerexe
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to harvest and steal browser information (history, passwords, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1139239
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Avira: detection malicious, Label: TR/Siggen.lhhpy
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Avira: detection malicious, Label: TR/Crypt.CFI.Gen
Source: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe	Avira: detection malicious, Label: TR/Crypt.CFI.Gen
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe	Avira: detection malicious, Label: HEUR/AGEN.1134829
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Avira: detection malicious, Label: TR/AD.PredatorThief.gldkk
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe	Avira: detection malicious, Label: TR/AD.JamkeeDldr.gwmgy
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe	Avira: detection malicious, Label: TR/AD.ColtyStealer.mwfxd
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe	Avira: detection malicious, Label: HEUR/AGEN.1138531
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exe	Avira: detection malicious, Label: TR/Kryptik.ijozo

Multi AV Scanner detection for domain / URL

Source: jojo-soft.xyz	Virustotal: Detection: 8%			Perma Link
Source: evograph.ro	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for submitted file

Source: KeJ7Cl7flZ.exe	Virustotal: Detection: 67%			Perma Link
Source: KeJ7Cl7flZ.exe	ReversingLabs: Detection: 79%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KeJ7Cl7flZ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 19.2.aliens.exe.2f00000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 26.0.jg2_2qua.exe.400000.0.unpack	Avira: Label: TR/Crypt.CFI.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10003535 CryptUnprotectData,_malloc,_memset,_memmove,__snprintf_s,_free,LocalFree,		1_2_10003535
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,		19_2_1001F720

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC29A3 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00EC29A3
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED0BA0 SendDlgItemMessageW,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00ED0BA0
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EDFB78 FindFirstFileExA,	0_2_00EDFB78
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED2E67 VirtualQuery,GetSystemInfo,FindFirstFileExA,	0_2_00ED2E67
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_012746B9 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,	1_2_012746B9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10009DF3 _memset,GetEnvironmentVariableW,_wprintf,FindFirstFileW,__snprintf_s,FindNextFileW,FindClose,	1_2_10009DF3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_00406301 FindFirstFileW,FindClose,	15_2_00406301
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEE0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	15_2_6FEE0F62
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FED1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	15_2_6FED1C23
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005A534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	17_2_0005A534
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006B820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	17_2_0006B820
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0007A928 FindFirstFileExA,	17_2_0007A928
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	19_2_00452126
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	19_2_0045C999
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	19_2_00436ADE
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00434BEE
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0045DD7C FindFirstFileW,FindClose,	19_2_0045DD7C
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	19_2_0044BD29
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	19_2_00436D2D
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00442E1F
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_00475FE5
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_0044BF8D
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1001A170 FindFirstFileA,FindClose,	19_2_1001A170

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: iplogger.org
Source: unknown	DNS query: name: iplogger.org
Source: unknown	DNS query: name: ip-api.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /seemorebty/il.php?e=jg2_2qua HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Accept-Language: en-US,en;q=0.9Referer: https://www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36Host: 101.36.107.74

Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknown	TCP traffic detected without corresponding DNS query: 101.36.107.74

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe

Code function: 1_2_1000AA5D _memset,_memset,_memset,_memset,_memset,InternetCrackUrlA,__time64,_rand,InternetOpenA,_wprintf,InternetConnectA,_wprintf,InternetCloseHandle,HttpOpenRequestA,_wprintf,InternetCloseHandle,InternetCloseHandle,HttpAddRequestHeadersA,InternetSetOptionA,LdrInitializeThunk,LdrInitializeThunk,HttpSendRequestA,GetLastError,HttpQueryInfoA,_wprintf,_wprintf,InternetReadFile,_memset,GetLastError,_wprintf,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,LdrInitializeThunk,LdrInitializeThunk,

1_2_1000AA5D

Source: global traffic

Source: askinstall21.exe	String found in binary or memory: %02X%02X%02X%02X%02X%02Xcmd.exe /c taskkill /f /im chrome.exeDefault\js\background.js5.18.6_0\fnfhfpkmpnmlmlgfeabpegnfpdnmokcoconst mac = '';const channelid ='const version='SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist99extensions.settings.\u003C<extensionssettingsprotectionmacssuper_mac107\Temp\vnnsfgfgfghaz99\" /s /e /y" "xcopy " --window-position=-50000,-50000 --user-data-dir=" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/","message":"","code":"{"type":"installresult","uid":"successerr : write reg failed(RegCreateKeyExA)err : write reg failed(RegSetValueExA)err : extension dir not found(possible no chrome installed)err : zip release failederr : securepref not founderr : parse json failederr : unknown1","channelid":"","adminmode":""}","version":"JSON=application/x-www-form-urlencoded;charset=utf-8http://www.fddnice.pw//Home/Index/lkdinlhttp://12https://iplogger.org/1uVkt796https://iplogger.org/1TW3i797https://iplogger.org/1q6Jt7105https://iplogger.org/1O2BH106https://iplogger.org/1OZVHhttps://iplogger.org/1OXFG108https://iplogger.org/1lC5g109https://iplogger.org/1Ka7t7110https://iplogger.org/1OhAG111https://iplogger.org/16ajh7112https://iplogger.org/1XSq97113https://iplogger.org/19iM77114https://iplogger.org/16xjh7115https://iplogger.org/1XJq97116https://iplogger.org/1XKq97117https://iplogger.org/1X8M97118https://iplogger.org/1UpU57119https://iplogger.org/1T79i7120https://iplogger.org/1T89i7121https://iplogger.org/1Uts87122https://iplogger.org/1KyTy7123https://iplogger.org/1yXwr7124https://iplogger.org/1bV787125https://iplogger.org/1b4887\/ equals www.facebook.com (Facebook)
Source: askinstall21.exe	String found in binary or memory: https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/ equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: &ctarget=https%3A%2F%2Fwww.facebook.comcquick=jsc_c_e&cquick_token=/settings?find email</strong><strong>fbSettingsListItemContentEmail not found.0" title="href="https://www.facebook.com/profile_icondata-gt" role="<a aria-label=<a class=*/profile.php?sk=friend_gs6">,"Friends":"</span><span>,"status":","Page":"1<a href="https://business.facebook.com,"bm":"<>class="lastRow right","currency":","a":","b":"CHROME,"Channel":","Browser":"}]0102030405060708"username":"edge_followed_by":{"count":edge_follow":{"count":email":"username":"phone_number":"gender":first_name":"last_name":"{#},"br":"","yo":""pa":""us":""re":""ph":""se":""fs":,"fsr":"Channel":""xtype":2}]Failed to initialise Winsock, Error:%u equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: ....https://www.facebook.com/pages/?category=your_pages&ref=bookmarksuri_token"has_main_page":"https://business.facebook.com/select/?next=https%3A%2F%2Fbusiness.facebook.com%2F"has_BM":"https://www.facebook.com/ads/manager/account_settings/information/?act=%s&pid=p1&page=account_settings&tab=account_information"AdsCMConnectConfig",\[\],.?access_token:"(.+?)""AdsInterfacesSessionConfig",\[\],.?"sessionID":"(.+?)"https://graph.facebook.com/v7.0/act_%s?access_token=%s&_reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&_sessionID=%s&fields=%%5B%%22all_payment_methods%%7Bpayment_method_altpays%%7Baccount_id%%2Ccountry%%2Ccredential_id%%2Cdisplay_name%%2Cimage_url%%2Cinstrument_type%%2Cnetwork_id%%2Cpayment_provider%%2Ctitle%%7D%%2Cpm_credit_card%%7Baccount_id%%2Ccredential_id%%2Ccredit_card_address%%2Ccredit_card_type%%2Cdisplay_string%%2Cexp_month%%2Cexp_year%%2Cfirst_name%%2Cis_verified%%2Clast_name%%2Cmiddle_name%%2Ctime_created%%2Cneed_3ds_authorization%%2Csupports_recurring_in_india%%2Cverify_card_behavior%%7D%%2Cpayment_method_direct_debits%%7Baccount_id%%2Caddress%%2Ccan_verify%%2Ccredential_id%%2Cdisplay_string%%2Cfirst_name%%2Cis_awaiting%%2Cis_pending%%2Clast_name%%2Cmiddle_name%%2Cstatus%%2Ctime_created%%7D%%2Cpayment_method_extended_credits%%7Baccount_id%%2Cbalance%%2Ccredential_id%%2Cmax_balance%%2Ctype%%2Cpartitioned_from%%2Csequential_liability_amount%%7D%%2Cpayment_method_paypal%%7Baccount_id%%2Ccredential_id%%2Cemail_address%%2Ctime_created%%7D%%2Cpayment_method_stored_balances%%7Baccount_id%%2Cbalance%%2Ccredential_id%%2Ctotal_fundings%%7D%%2Cpayment_method_tokens%%7Baccount_id%%2Ccredential_id%%2Ccurrent_balance%%2Coriginal_balance%%2Ctime_created%%2Ctime_expire%%2Ctype%%7D%%7D%%22%%5D&include_headers=false&locale=en_US&method=get&pretty=0&suppress_http_code=1&xref=f33f78145820f4 }"pay":instagramds_user_id\\"\\"", "path":"/", "secure": false,"value": "{"domain":"www.instagram.com", "expirationDate":1590337688, "hostOnly": false, "httpOnly": true, "name": "instagram cookie:%s equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: Cookie: c_user={https://www.facebook.com/ads/manager/accounts/https://www.facebook.com/settings?tab=notificationsnoyes","isValid":"0https://www.facebook.com/profile.php"displayable_count":{"FantailLogQueue":null},"friends":"mail":"https://www.facebook.com/accountquality/%s/?source=mega_menu&nav_source=flyout_menu&nav_id=1765193856"adAccountID":""ad":"https://www.facebook.com/bookmarks/pages?ref_type=logout_gearid:"\d+",name:"(.+?)",count: equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp	String found in binary or memory: Referer: https://www.facebook.com equals www.facebook.com (Facebook)
Source: ubisoftpro.exe	String found in binary or memory: T.exe_,"Friends":","status":","currency":","bm":","type":","a":","b":"p,"Channel":","Browser":"rltext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,;q=0.8,application/signed-exchange;v=b3username":"},edge_followed_by":{"count":edge_follow":{"count":email":"phone_number":"gender":first_name":","last_name":"{#}\"co":""br":""sy":""yo":""pa":""re":""ph":""se":""fs":"fsr":inauth_tokentwhttps://www.airbnb.cn/account-settingstext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3.airbnb.cnacha"compat_iframe_token":"https://www.facebook.com/settings?cquick=jsc_c_c&cquick_token=&ctarget=https%3A%2F%2Fwww.facebook.comhttps://www.facebook.com/settings@</strong><strong>@b88801?act=</span><span>https://www.facebook.com/ads/manager/account_settings/account_billing/?act=&pid=p1&page=account_settings&tab=account_billing_settingsaccess_token:"adsApiVersion:"sessionID:"locale:"https://graph.facebook.com//act_?access_token=&_reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&_sessionID=&fields=%5B%22all_payment_methods%7Bpayment_method_altpays%7Baccount_id%2Ccountry%2Ccredential_id%2Cdisplay_name%2Cimage_url%2Cinstrument_type%2Cnetwork_id%2Cpayment_provider%2Ctitle%7D%2Cpm_credit_card%7Baccount_id%2Ccredential_id%2Ccredit_card_address%2Ccredit_card_type%2Cdisplay_string%2Cexp_month%2Cexp_year%2Cfirst_name%2Cis_verified%2Clast_name%2Cmiddle_name%2Ctime_created%2Cneed_3ds_authorization%2Callow_manual_3ds_authorization%2Csupports_recurring_in_india%7D%2Cpayment_method_direct_debits%7Baccount_id%2Caddress%2Ccan_verify%2Ccredential_id%2Cdisplay_string%2Cfirst_name%2Cis_awaiting%2Cis_pending%2Clast_name%2Cmiddle_name%2Cstatus%2Ctime_created%7D%2Cpayment_method_extended_credits%7Baccount_id%2Cbalance%2Ccredential_id%2Cmax_balance%2Ctype%2Cpartitioned_from%2Csequential_liability_amount%7D%2Cpayment_method_paypal%7Baccount_id%2Ccredential_id%2Cemail_address%2Ctime_created%7D%2Cpayment_method_stored_balances%7Baccount_id%2Cbalance%2Ccredential_id%2Ctotal_fundings%7D%2Cpayment_method_tokens%7Baccount_id%2Ccredential_id%2Ccurrent_balance%2Coriginal_balance%2Ctime_created%2Ctime_expire%2Ctype%7D%7D%22%5D&include_headers=false&locale=&method=get&pretty=0&suppress_http_code=1pm_credit_card"country":mastervisaamericanpaypalbalance</td>\|\|-Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36ike.airbnb.cn11fiachitichiffiedtch9C71F883-5E43-41AA-85D0-5272784FB258,"Creditcard":"timeline_chrome.php?sk=friendshttp://103.91.21Facebook</title>facebook</title>book.com/pages/?category=your_paall_accounts_tabhttp://qazwsxedcnavigate_from_adSoftware\\TestRele_account_id_cehttps://www.facebook.com/profilebook.com/settinggister\\TestRegiges&ref=bookmarkbook.com/ads/managram.com/accouncompat_iframe_toks/pages?ref_typbook.com/bookmarhttps://www.instadmined_pages":{ equals www.facebook.com (Facebook)
Source: ubisoftpro.exe	String found in binary or memory: \MicrosoftEdgeCP\\Application\\c\\Google\\Chrome\\User Data\\Def\\Mozilla\\Firefwww.facebook.comwww.instagram.co\\Mozilla Firefo equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: ct name,value,encrypted_value from cookies where instr("www.facebook.com", host_key)>0 equals www.facebook.com (Facebook)
Source: hjjgaa.exe	String found in binary or memory: d@invalid stoi argumentstoi argument out of rangeUseJu47egg whatppphatOjk4ehg riwjgHgegUse whatppphatYk43h7gr riwjg^(([^:\/?#]+):)?(//([^\/?#:])(:([^\/?#]))?)?([^?#])(\?([^#]))?(#(.))?MalformedHh6e4sgg urlStrXhegkh4gErrorJhg4eu (WinHttpOpenNm4eg)ErrorOj7g4he (WinHttpGetProxyForUrlTh7e4gh)Error (WinHttpGetProxyForUrl)httphttpsUnknownNsV6e4hg schemeBe7n4us ErrorBjhe4hg (WinHttpConnectLj6e3hgg)?ErrorS7je4hg (WinHttpOpenRequestP6je4hg)ErrorHf74ge7g (WinHttpSendRequestVe7j4gi)ErrorJh7b4egg (WinHttpSendRequestPke4jhg)ErrorKj7e4hg (WinHttpReceiveResponseCeheg34g)ErrorTjr57eh (WinHttpQueryDataAvailableAe7hj4g)ErrorUj7e4hg (WinHttpReadDataPjke4hg)ErrorGh7e4hg (WinHttpSetCredentialsHe7j4hg)ErrorPj7e4hg (WinHttpQueryHeadersYg8e5gg)ErrorJh7eg4g (WinHttpQueryAuthSchemesYe6hg4)POSTGETlogin/device-based/loginContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9viewport-width: 1920Sec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Referer: https://www.facebook.com/Origin: https://www.facebook.comSec-Fetch-Dest: documentUpgrade-Insecure-Requests: 1/adsmanager/creation?act=/ads/manager/account_settings/account_billingSec-Fetch-Site: noneAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1v7.0/act_Accept: /*Content-type: application/x-www-form-urlencodedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-sitemanager/account_settings/account_billingprimary_location/infoprofile.phppages/?category=your_pageshttps://www.facebook.com/Error (WinHttpSetOption)Error (WinHttpAddRequestHeaders)vector<T> too longvector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitXlG equals www.facebook.com (Facebook)
Source: ubisoftpro.exe	String found in binary or memory: http://103.91.21Facebook</title>facebook</title>book.com/pages/?category=your_paall_accounts_tabhttp://qazwsxedcnavigate_from_adSoftware\\TestRele_account_id_cehttps://www.facebook.com/profilebook.com/settinggister\\TestRegiges&ref=bookmarkbook.com/ads/managram.com/accouncompat_iframe_toks/pages?ref_typbook.com/bookmarhttps://www.instadmined_pages":{ equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/accountquality/%s/?source=mega_menu&nav_source=flyout_menu&nav_id=1765193856 equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/information/?act=%s&pid=p1&page=account_settings&tab=account_information equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/ads/manager/accounts/ equals www.facebook.com (Facebook)
Source: hjjgaa.exe	String found in binary or memory: https://www.facebook.com/adsmanager/manage/campaigns?act=fb_id equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/pages/?category=your_pages&ref=bookmarks equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/profile.php equals www.facebook.com (Facebook)
Source: hjjgaa.exe	String found in binary or memory: https://www.facebook.com/profile.php?id=c_user&sk=friends equals www.facebook.com (Facebook)
Source: ubisoftpro.exe	String found in binary or memory: https://www.facebook.com/settings equals www.facebook.com (Facebook)
Source: 002.exe	String found in binary or memory: https://www.facebook.com/settings?tab=notifications equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmp	String found in binary or memory: k@Ohttps://www.facebook.comhttp://101.36.107.74/seemorebty/z9Yzbx5JbVSUWmThFFDroiderFDroid1Software\ffdroiderhttps://www.facebook.comwww.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36/ads/manager/accountsall_accounts_table_account_id_cellhref="/pages/?category=your_pages&ref=bookmarks?act= equals www.facebook.com (Facebook)
Source: ubisoftpro.exe	String found in binary or memory: kK`C:\%x\mshtml.dllIsWow64Processkernel326432%d.%d.%d.%d\MicrosoftEdgeCP\\Application\\c\\Google\\Chrome\\User Data\\Def\\Mozilla\\Firefwww.facebook.comwww.instagram.co\\Mozilla Firefo equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp	String found in binary or memory: p]rhttps://www.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36en-US,en;q=0.9Keep-Alivei equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480028435.0000000000718000.00000004.00000001.sdmp	String found in binary or memory: qhttps://www.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537 equals www.facebook.com (Facebook)
Source: hjjgaa.exe	String found in binary or memory: size: length: capacity: max_size: https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:_/v7.0/acthttps://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v7.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"dataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spenthttps://www.facebook.com/adsmanager/manage/campaigns?act=fb_idfb_id,:{account_currency_ratio_to_usd,adtrust_dslcategory=your_pagestimeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6""items":{"count"api/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sidtimerand_str&key=statusTxG]B equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: uct name,value,encrypted_value from cookies where instr("www.facebook.com", host_key)>0 equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: www.facebook.com" equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481303695.0000000000726000.00000004.00000001.sdmp	String found in binary or memory: www.facebook.comg equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmp	String found in binary or memory: http://101.36.107.74/seemorebty/
Source: jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://101.36.10https://www.instH
Source: ubisoftpro.exe	String found in binary or memory: http://103.91.21Facebook
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	String found in binary or memory: http://7553014BD6A4211B.xyz/
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	String found in binary or memory: http://7553014BD6A4211B.xyz/L
Source: aliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmp	String found in binary or memory: http://7553014BD6A4211B.xyz/info/w
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	String found in binary or memory: http://7553014BD6A4211B.xyz/ng
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	String found in binary or memory: http://7553014bd6a4211b.xyz/0
Source: aliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	String found in binary or memory: http://7553014bd6a4211b.xyz/info/w
Source: hjjgaa.exe	String found in binary or memory: http://Ojyehq4jg.2ihsfa.com/
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508666439.0000000000BCF000.00000004.00000020.sdmp	String found in binary or memory: http://charlesproxy.com/ssl
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: jg2_2qua.exe, 0000001A.00000003.481303695.0000000000726000.00000004.00000001.sdmp	String found in binary or memory: http://crl.como
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comoU
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comoZ
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aliens.exe, 00000013.00000002.508666439.0000000000BCF000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: hjjgaa.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: aliens.exe, 00000013.00000002.508559285.0000000000BAC000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: hjjgaa.exe	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 85F91A36E275562F.exe.19.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: hjjgaa.exe	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSec
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSec)
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 002.exe	String found in binary or memory: http://ffdownload.online/business/receive
Source: 002.exe	String found in binary or memory: http://ffdownload.online/business/receiveConnection:
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: hjjgaa.exe	String found in binary or memory: http://ip-api.com/json/countryCodecountry_codemac%s.exeSoftware
Source: Setup.exe, 0000000F.00000000.288312686.0000000000409000.00000002.00020000.sdmp, Setup.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, hjjgaa.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 85F91A36E275562F.exe.19.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: jg2_2qua.exe, 0000001A.00000003.493935204.0000000003F10000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: jg2_2qua.exe, 0000001A.00000003.493935204.0000000003F10000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: jg2_2qua.exe, 0000001A.00000003.493311716.0000000003D67000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: 85F91A36E275562F.exe.19.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 85F91A36E275562F.exe.19.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 85F91A36E275562F.exe.19.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: askinstall21.exe	String found in binary or memory: http://www.fddnice.pw/
Source: askinstall21.exe	String found in binary or memory: http://www.ipcode.pw/
Source: askinstall21.exe	String found in binary or memory: http://www.ipcode.pw/0.0.0.0CNpathSOFTWARE
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: ubisoftpro.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: askinstall21.exe	String found in binary or memory: http://www.zxfc.pw/Home/Index/sksxz?uid=3a1c3033bf5a5764882caec7a4cf3849e7de2ef2a8d79cece23467f1d887
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmp	String found in binary or memory: https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
Source: jg2_2qua.exe, 0000001A.00000003.498781258.00000000040A8000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp	String found in binary or memory: https://charlesproxy.com/ssl1
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: jg2_2qua.exe, 0000001A.00000003.493950837.0000000003F18000.00000004.00000001.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/16ajh7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/16xjh7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/19iM77
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1Ka7t7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1KyTy7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1O2BH
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1OXFG
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1OZVH
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1OhAG
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1T79i7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1T89i7
Source: John_Ship.url	String found in binary or memory: https://iplogger.org/1TT4a7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1TW3i7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1UpU57
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1Uts87
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1X8M97
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1XJq97
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1XKq97
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1XSq97
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1b4887
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1bV787
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1lC5g
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1q6Jt7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1uVkt7
Source: askinstall21.exe	String found in binary or memory: https://iplogger.org/1yXwr7
Source: ubisoftpro.exe	String found in binary or memory: https://iplogger.org/2WS9q6ubisoftplushttps://iplogger.org/2WF9q6ubisoftsmphttps://iplogger.org/2WJ9
Source: ubisoftpro.exe	String found in binary or memory: https://iplogger.org/2WX9q6ubisoftmorehttps://iplogger.org/2WN9q6ubisoftablehttps://iplogger.org/2W6
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.480069462.0000000000724000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/ZdnY7
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: hjjgaa.exe	String found in binary or memory: https://sectigo.com/CPS0B
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: ubisoftpro.exe	String found in binary or memory: https://www.airbnb.cn/account-settings
Source: ubisoftpro.exe	String found in binary or memory: https://www.airbnb.cn/account-settingstext/html
Source: jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.496197862.0000000004020000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: jg2_2qua.exe, 0000001A.00000003.493950837.0000000003F18000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: jg2_2qua.exe, 0000001A.00000003.497641721.0000000004020000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.h
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.496197862.0000000004020000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: jg2_2qua.exe, 0000001A.00000003.493311716.0000000003D67000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe

Code function: 15_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

15_2_004050F9

Contains functionality to read the clipboard data

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe

Code function: 19_2_0046C604 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_0046C604

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe

Code function: 15_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

15_2_004044D1

Creates a DirectInput object (often for capturing keystrokes)

Source: Setup.exe, 0000000F.00000002.468343589.000000000077A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_0126BF99 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_0126BF99
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		19_2_0047C08E

E-Banking Fraud:

Registers a new ROOT certificate

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe

Code function: 19_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

19_2_1001F720

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe

Code function: 15_2_6FEA4C20 _DebugHeapAllocator,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,std::ios_base::good,ExpandEnvironmentStringsW,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,Concurrency::details::ContextBase::GetWorkQueueIdentity,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,GetLastError,SetThreadDesktop,GetLastError,CloseDesktop,CreateProcessW,GetLastError,CloseDesktop,CloseHandle,CreateJobObjectW,AssignProcessToJobObject,_DebugHeapAllocator,Sleep,Sleep,_DebugHeapAllocator,SetThreadDesktop,CloseDesktop,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,

15_2_6FEA4C20

System Summary:

PE file has a writeable .text section

Source: aliens.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe

Code function: 17_2_00057165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

17_2_00057165

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe

Code function: 19_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		15_2_004038AF
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		19_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC80F7	0_2_00EC80F7
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ECA6AE	0_2_00ECA6AE
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EE209E	0_2_00EE209E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC5894	0_2_00EC5894
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED51D4	0_2_00ED51D4
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED9951	0_2_00ED9951
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED5AE8	0_2_00ED5AE8
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ECB2CF	0_2_00ECB2CF
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC4AD7	0_2_00EC4AD7
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EE6224	0_2_00EE6224
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EE1BF0	0_2_00EE1BF0
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED6352	0_2_00ED6352
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC548E	0_2_00EC548E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC15F3	0_2_00EC15F3
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED56D0	0_2_00ED56D0
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED9722	0_2_00ED9722
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EC4F0B	0_2_00EC4F0B
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED5F1D	0_2_00ED5F1D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_0128615A	1_2_0128615A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_012940EE	1_2_012940EE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01291322	1_2_01291322
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_0128428A	1_2_0128428A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_0126C58B	1_2_0126C58B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_0127C739	1_2_0127C739
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01294660	1_2_01294660
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_012846A2	1_2_012846A2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01293B7C	1_2_01293B7C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01284AD7	1_2_01284AD7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01283D96	1_2_01283D96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01284F0C	1_2_01284F0C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01294E08	1_2_01294E08
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01295E96	1_2_01295E96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10008B24	1_2_10008B24
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10099217	1_2_10099217
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_1007E330	1_2_1007E330
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10097B40	1_2_10097B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10084E00	1_2_10084E00
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_1007FE90	1_2_1007FE90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_1000BEB6	1_2_1000BEB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_1008FF8D	1_2_1008FF8D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10012FD3	1_2_10012FD3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_004079A2	15_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_004049A8	15_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_00406EFE	15_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_0040737E	15_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEF9FF6	15_2_6FEF9FF6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEECE40	15_2_6FEECE40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEEAE3E	15_2_6FEEAE3E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEFBC5D	15_2_6FEFBC5D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEFFC01	15_2_6FEFFC01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEFBB3D	15_2_6FEFBB3D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEE77A0	15_2_6FEE77A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEE756E	15_2_6FEE756E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEE733C	15_2_6FEE733C
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00058525	17_2_00058525
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000665B6	17_2_000665B6
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006702F	17_2_0006702F
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005404E	17_2_0005404E
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00070146	17_2_00070146
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005E1E0	17_2_0005E1E0
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005326D	17_2_0005326D
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0007055E	17_2_0007055E
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0007457A	17_2_0007457A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00063731	17_2_00063731
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000747A9	17_2_000747A9
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000527D4	17_2_000527D4
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005E7E0	17_2_0005E7E0
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005F8A8	17_2_0005F8A8
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00070993	17_2_00070993
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000639AC	17_2_000639AC
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000669EB	17_2_000669EB
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0007CA20	17_2_0007CA20
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00065BE7	17_2_00065BE7
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006FC4A	17_2_0006FC4A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005EC54	17_2_0005EC54
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00063CDD	17_2_00063CDD
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005BD53	17_2_0005BD53
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0005DDAC	17_2_0005DDAC
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00070DC8	17_2_00070DC8
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0007CECE	17_2_0007CECE
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00055F0C	17_2_00055F0C
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00080FD4	17_2_00080FD4
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00412038	19_2_00412038
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00427161	19_2_00427161
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004212BE	19_2_004212BE
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00443390	19_2_00443390
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00443391	19_2_00443391
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0041A46B	19_2_0041A46B
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0041240C	19_2_0041240C
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00446566	19_2_00446566
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0041D750	19_2_0041D750
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004037E0	19_2_004037E0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00427859	19_2_00427859
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00412818	19_2_00412818
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0040F890	19_2_0040F890
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0042397B	19_2_0042397B
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00409A40	19_2_00409A40
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00411B63	19_2_00411B63
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0047CBF0	19_2_0047CBF0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00412C38	19_2_00412C38
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00423EBF	19_2_00423EBF
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00424F70	19_2_00424F70
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0041AF0D	19_2_0041AF0D
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000C063	19_2_1000C063
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100060F0	19_2_100060F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100071F0	19_2_100071F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10009257	19_2_10009257
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10008340	19_2_10008340
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000E380	19_2_1000E380
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000B3B0	19_2_1000B3B0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100083F0	19_2_100083F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000C483	19_2_1000C483
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10010590	19_2_10010590
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000B883	19_2_1000B883
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100169BD	19_2_100169BD
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100099E0	19_2_100099E0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10010AED	19_2_10010AED
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000ABA0	19_2_1000ABA0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1001EBD0	19_2_1001EBD0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000BC57	19_2_1000BC57
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1001EDDB	19_2_1001EDDB
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000FF71	19_2_1000FF71

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: String function: 6FEA7EA0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: String function: 0041171A appears 38 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: String function: 0041718C appears 41 times
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: String function: 00ED304E appears 35 times
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: String function: 00ED3370 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: String function: 01285B7A appears 128 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: String function: 01285BE3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: String function: 10082D21 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: String function: 01283AB0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: String function: 0006E0E4 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: String function: 0006EB60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: String function: 0006E1C0 appears 52 times

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724

PE file contains strange resources

Source: KeJ7Cl7flZ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KeJ7Cl7flZ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: KeJ7Cl7flZ.exe, 00000000.00000002.529860424.00000000074F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.530016603.00000000075F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.530016603.00000000075F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.511285265.00000000052F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KeJ7Cl7flZ.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Section loaded: dxgidebug.dll	Jump to behavior

Yara signature match

Source: 00000013.00000002.511085870.0000000003310000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.3310000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.3310000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: jg2_2qua.exe.0.dr	Static PE information: Section: .MPRESS1 ZLIB complexity 1.00011398709
Source: jg2_2qua.exe.26.dr	Static PE information: Section: .MPRESS1 ZLIB complexity 1.00011398709

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@13/35@12/2

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe

Code function: 0_2_00EC1892 GetLastError,FormatMessageW,

0_2_00EC1892

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEA1870 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,	15_2_6FEA1870
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	19_2_00464422
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	19_2_004364AA

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe

15_2_004044D1

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe

Code function: 19_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

19_2_0043701F

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe

Code function: 1_2_01270B52 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LdrInitializeThunk,CoCreateInstance,

1_2_01270B52

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe

Code function: 0_2_00ECF19A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00ECF19A

Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe

File created: C:\Program Files (x86)\ujvqkl7ofji6

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Mutant created: \Sessions\1\BaseNamedObjects\37238328-1324242-5456786-8fdff0-67547552436675
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3568

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: sfxname	0_2_00ED273E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: sfxstime	0_2_00ED273E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: STARTDLG	0_2_00ED273E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: 9,	0_2_00ED273E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: 9,	0_2_00ED273E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Command line argument: h	0_2_00EE6840
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Command line argument: q	17_2_0006D42A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Command line argument: sfxname	17_2_0006D42A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Command line argument: sfxstime	17_2_0006D42A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Command line argument: STARTDLG	17_2_0006D42A

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT signon_realm, username_value, hex(password_value) FROM logins;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT * FROM moz_cookies;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT host_key,name, value, hex(encrypted_value) FROM cookies;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\KeJ7Cl7flZ.exe 'C:\Users\user\Desktop\KeJ7Cl7flZ.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 740
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s
Source: unknown	Process created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'	Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'	Jump to behavior

Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KeJ7Cl7flZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbQ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb@ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\SibClr\obj\Release\SibClr.pdb source: Setup.exe, 0000000F.00000003.467283122.0000000000846000.00000004.00000001.sdmp, SibClr.dll.15.dr
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.263071378.000000000474B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb/ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb8 source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbF source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: D:\workspace\workspace_c\GiehH4yhJgg54_17\Release\GiehH4yhJgg54_17.pdb source: hjjgaa.exe
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdbE source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbL source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb[ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbI source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb< source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbJ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oledlg.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: setup.exe, 00000011.00000000.294134315.0000000000082000.00000002.00020000.sdmp, setup.exe.15.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oledlg.pdbO source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: 3.pdb] source: hjjgaa.exe
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: KeJ7Cl7flZ.exe
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: D:\workspace\workspace_c\GiehH4yhJgg54_17\Release\GiehH4yhJgg54_17.pdb- source: hjjgaa.exe
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb2 source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: D:\Projects\crxinstall\trunk\Release\spoofpref.pdb5 source: askinstall21.exe
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb. source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb} source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmp
Source:	Binary string: D:\Projects\crxinstall\trunk\Release\spoofpref.pdb source: askinstall21.exe
Source:	Binary string: powrprof.pdbW source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp

Source: KeJ7Cl7flZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KeJ7Cl7flZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KeJ7Cl7flZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KeJ7Cl7flZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KeJ7Cl7flZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: KeJ7Cl7flZ.exe	Static PE information: real checksum: 0x0 should be: 0x795ef5
Source: 85F91A36E275562F.exe.19.dr	Static PE information: real checksum: 0xcf3f0 should be:
Source: aliens.exe.17.dr	Static PE information: real checksum: 0xcf3f0 should be:
Source: 002.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1479d3
Source: jg2_2qua.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x90533
Source: jg2_2qua.exe.26.dr	Static PE information: real checksum: 0x0 should be: 0x90533
Source: Setup.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x40e92a

Source: KeJ7Cl7flZ.exe	Static PE information: section name: .didat
Source: jg2_2qua.exe.0.dr	Static PE information: section name: .MPRESS1
Source: jg2_2qua.exe.0.dr	Static PE information: section name: .MPRESS2
Source: jg2_2qua.exe.26.dr	Static PE information: section name: .MPRESS1
Source: jg2_2qua.exe.26.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED4066 push ecx; ret	0_2_00ED4079
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED3344 push eax; ret	0_2_00ED3362
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01285B48 push ecx; ret	1_2_01285B5B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01283AF5 push ecx; ret	1_2_01283B08
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_1008CAD5 push ecx; ret	1_2_1008CAE8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10082CFE push ecx; ret	1_2_10082D11
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEDF9A8 push ecx; ret	15_2_6FEDF9BB
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006E0E4 push eax; ret	17_2_0006E102
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006EBA6 push ecx; ret	17_2_0006EBB9
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10010579 push ecx; ret	19_2_1001058C

Source: initial sample	Static PE information: section name: .MPRESS1 entropy: 7.99955674607
Source: initial sample	Static PE information: section name: .MPRESS1 entropy: 7.99955674607

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	19_2_1001D370
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	19_2_1001D7E0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	19_2_1001DA70

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	File created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File created: C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	File created: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2FFD.tmp\Sibuia.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibClr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe	Jump to dropped file
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	File created: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01261890 IsIconic,_memset,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		1_2_01261890
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		19_2_004375B0

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00444078		19_2_00444078
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100202D0		19_2_100202D0

Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe	Jump to dropped file
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exe	Jump to dropped file

Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h		19_2_100223C0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h		19_2_100223C0

Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW9x
Source: WerFault.exe, 00000007.00000002.282007693.0000000004742000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWx
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.256232825.00000000050ED000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW-
Source: WerFault.exe, 00000004.00000003.253459157.0000000005187000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.281941675.0000000004685000.00000004.00000001.sdmp, aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(X
Source: aliens.exe, 00000013.00000002.507967540.00000000008CC000.00000004.00000001.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: aliens.exe, 00000013.00000002.507967540.00000000008CC000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: jg2_2qua.exe, 0000001A.00000003.498781258.00000000040A8000.00000004.00000001.sdmp	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20200930T144711Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=93ad7adba3804ae29988afa9c571d584&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663612&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663612&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Analysis Report KeJ7Cl7flZ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EDC507 mov eax, dword ptr fs:[00000030h]	0_2_00EDC507
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEF2571 mov eax, dword ptr fs:[00000030h]	15_2_6FEF2571
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEF80EB mov eax, dword ptr fs:[00000030h]	15_2_6FEF80EB
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_00077363 mov eax, dword ptr fs:[00000030h]	17_2_00077363
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004175F6 mov eax, dword ptr fs:[00000030h]	19_2_004175F6
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019DE0 mov eax, dword ptr fs:[00000030h]	19_2_10019DE0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019E10 mov eax, dword ptr fs:[00000030h]	19_2_10019E10
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019E10 mov eax, dword ptr fs:[00000030h]	19_2_10019E10
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019E70 mov eax, dword ptr fs:[00000030h]	19_2_10019E70
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019E70 mov eax, dword ptr fs:[00000030h]	19_2_10019E70
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10019ED0 mov eax, dword ptr fs:[00000030h]	19_2_10019ED0

Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED3FBC SetUnhandledExceptionFilter,	0_2_00ED3FBC
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED431B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00ED431B
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00EDD6D2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EDD6D2
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: 0_2_00ED3E2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ED3E2A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01289B5E SetUnhandledExceptionFilter,	1_2_01289B5E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_01289B8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_01289B8F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: 1_2_10086DCE SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_10086DCE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEDFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6FEDFB78
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEE52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6FEE52CE
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006EEB3 SetUnhandledExceptionFilter,	17_2_0006EEB3
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006F07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0006F07B
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_000784EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000784EF
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: 17_2_0006ED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0006ED65
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0042202E SetUnhandledExceptionFilter,	19_2_0042202E
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_004230F5 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_004230F5
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00421FA7
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,	19_2_10015354
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,	19_2_10015376
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	19_2_10018413
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_1000E44D
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_1000EFFC

Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: aliens.exe, 00000013.00000002.507373439.0000000000482000.00000002.00020000.sdmp, 85F91A36E275562F.exe.19.dr	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00ECF8F6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,RtlDecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	1_2_01270E2E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_100960B8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	1_2_10087211
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,LdrInitializeThunk,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_10096239
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: GetLocaleInfoW,	1_2_1008724E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,LdrInitializeThunk,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	1_2_100959E5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	1_2_10095C59
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: _GetPrimaryLen,LdrInitializeThunk,EnumSystemLocalesW,	1_2_10095C99
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe	Code function: _GetPrimaryLen,LdrInitializeThunk,EnumSystemLocalesW,	1_2_10095D16
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	17_2_0006A5BC
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: GetLocaleInfoA,	19_2_10017CF0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibClr.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\tmp.edb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe	Code function: 15_2_6FEA94C0 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,FreeLibrary,CorBindToRuntimeEx,FreeLibrary,FreeLibrary,FreeLibrary,		15_2_6FEA94C0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	Code function: 19_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,		19_2_0047AD92

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.36.107.74	unknown	China		135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	false
88.99.66.31	unknown	Germany		24940	HETZNER-ASDE	false

Name	IP	Active
jojo-soft.xyz	104.31.72.130	true
iplogger.org	88.99.66.31	true
ip-api.com	208.95.112.1	true
evograph.ro	89.40.17.17	true
trueaerned.com	198.98.57.54	true
7553014bd6a4211b.xyz	172.67.157.133	true
p421ls.xyz	104.31.90.245	true
g.msn.com	unknown	unknown
www.evograph.ro	unknown	unknown