0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
05-12-2020 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca6df4914385efd4ba9cd239b5ed254.exe
Size

4.5MB
MD5

3ca6df4914385efd4ba9cd239b5ed254
SHA1

b66535ff43334177a5a167b9f2b07ade75484eec
SHA256

0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
SHA512

7951ab74ecd2ea26ed7bbcbc8bf34a770854a8fb009f256f93d72c705871b5a31c24153cc77581eec6544085cdbb51a170b2b7ef9f3f9139572b818d75424ca6

Score

8^/10

bootkit macro persistence spyware

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

setup.exealiens.exe1E1C360C582DF797.exe1E1C360C582DF797.exeThunderFW.exeMiniThunderPlatform.exe23E04C4F32EF2158.exe23E04C4F32EF2158.tmp

pid	process
1144	setup.exe
1672	aliens.exe
1276	1E1C360C582DF797.exe
516	1E1C360C582DF797.exe
1996	ThunderFW.exe
1696	MiniThunderPlatform.exe
1200	23E04C4F32EF2158.exe
1180	23E04C4F32EF2158.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 23 IoCs

Processes:

3ca6df4914385efd4ba9cd239b5ed254.exesetup.exeMsiExec.exealiens.exe1E1C360C582DF797.exeMiniThunderPlatform.exe23E04C4F32EF2158.exe

pid	process
1744	3ca6df4914385efd4ba9cd239b5ed254.exe
1744	3ca6df4914385efd4ba9cd239b5ed254.exe
1744	3ca6df4914385efd4ba9cd239b5ed254.exe
1744	3ca6df4914385efd4ba9cd239b5ed254.exe
1144	setup.exe
1064	MsiExec.exe
1672	aliens.exe
1672	aliens.exe
1276	1E1C360C582DF797.exe
1276	1E1C360C582DF797.exe
1276	1E1C360C582DF797.exe
1276	1E1C360C582DF797.exe
1276	1E1C360C582DF797.exe
1276	1E1C360C582DF797.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1696	MiniThunderPlatform.exe
1276	1E1C360C582DF797.exe
1200	23E04C4F32EF2158.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	js
\Users\Admin\AppData\Local\Temp\download\download_engine.dll	js
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll	js

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

aliens.exe1E1C360C582DF797.exe1E1C360C582DF797.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	1E1C360C582DF797.exe
File opened for modification	\??\PhysicalDrive0	1E1C360C582DF797.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

1672 aliens.exe

pid	process
1672	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1E1C360C582DF797.exe

description	pid	process	target process
PID 1276 set thread context of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 set thread context of 1656	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 set thread context of 1244	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 set thread context of 1528	1276	1E1C360C582DF797.exe	firefox.exe

Drops file in Program Files directory 6 IoCs

Processes:

setup.exe23E04C4F32EF2158.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\71eza90awf48	setup.exe
File created	C:\Program Files (x86)\71eza90awf48\__tmp_rar_sfx_access_check_259263880	setup.exe
File created	C:\Program Files (x86)\71eza90awf48\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\71eza90awf48\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\DreamTrip.exe	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\RearRips\seed.sfx.exe	23E04C4F32EF2158.tmp

NSIS installer 16 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_1
\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_2
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_1
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_2
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_1
C:\Program Files (x86)\71eza90awf48\aliens.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1448 taskkill.exe

pid	process
1448	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

aliens.exe1E1C360C582DF797.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	1E1C360C582DF797.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	1E1C360C582DF797.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	1E1C360C582DF797.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	1E1C360C582DF797.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1860 PING.EXE
1264 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

23E04C4F32EF2158.tmp

pid process

1180 23E04C4F32EF2158.tmp
1180 23E04C4F32EF2158.tmp

pid	process
1860	PING.EXE
1264	PING.EXE

pid	process
1180	23E04C4F32EF2158.tmp
1180	23E04C4F32EF2158.tmp

Suspicious use of AdjustPrivilegeToken 94 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	340	msiexec.exe
Token: SeTakeOwnershipPrivilege	340	msiexec.exe
Token: SeSecurityPrivilege	340	msiexec.exe
Token: SeCreateTokenPrivilege	1504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1504	msiexec.exe
Token: SeLockMemoryPrivilege	1504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1504	msiexec.exe
Token: SeMachineAccountPrivilege	1504	msiexec.exe
Token: SeTcbPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeLoadDriverPrivilege	1504	msiexec.exe
Token: SeSystemProfilePrivilege	1504	msiexec.exe
Token: SeSystemtimePrivilege	1504	msiexec.exe
Token: SeProfSingleProcessPrivilege	1504	msiexec.exe
Token: SeIncBasePriorityPrivilege	1504	msiexec.exe
Token: SeCreatePagefilePrivilege	1504	msiexec.exe
Token: SeCreatePermanentPrivilege	1504	msiexec.exe
Token: SeBackupPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeShutdownPrivilege	1504	msiexec.exe
Token: SeDebugPrivilege	1504	msiexec.exe
Token: SeAuditPrivilege	1504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1504	msiexec.exe
Token: SeChangeNotifyPrivilege	1504	msiexec.exe
Token: SeRemoteShutdownPrivilege	1504	msiexec.exe
Token: SeUndockPrivilege	1504	msiexec.exe
Token: SeSyncAgentPrivilege	1504	msiexec.exe
Token: SeEnableDelegationPrivilege	1504	msiexec.exe
Token: SeManageVolumePrivilege	1504	msiexec.exe
Token: SeImpersonatePrivilege	1504	msiexec.exe
Token: SeCreateGlobalPrivilege	1504	msiexec.exe
Token: SeCreateTokenPrivilege	1504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1504	msiexec.exe
Token: SeLockMemoryPrivilege	1504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1504	msiexec.exe
Token: SeMachineAccountPrivilege	1504	msiexec.exe
Token: SeTcbPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeLoadDriverPrivilege	1504	msiexec.exe
Token: SeSystemProfilePrivilege	1504	msiexec.exe
Token: SeSystemtimePrivilege	1504	msiexec.exe
Token: SeProfSingleProcessPrivilege	1504	msiexec.exe
Token: SeIncBasePriorityPrivilege	1504	msiexec.exe
Token: SeCreatePagefilePrivilege	1504	msiexec.exe
Token: SeCreatePermanentPrivilege	1504	msiexec.exe
Token: SeBackupPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeShutdownPrivilege	1504	msiexec.exe
Token: SeDebugPrivilege	1504	msiexec.exe
Token: SeAuditPrivilege	1504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1504	msiexec.exe
Token: SeChangeNotifyPrivilege	1504	msiexec.exe
Token: SeRemoteShutdownPrivilege	1504	msiexec.exe
Token: SeUndockPrivilege	1504	msiexec.exe
Token: SeSyncAgentPrivilege	1504	msiexec.exe
Token: SeEnableDelegationPrivilege	1504	msiexec.exe
Token: SeManageVolumePrivilege	1504	msiexec.exe
Token: SeImpersonatePrivilege	1504	msiexec.exe
Token: SeCreateGlobalPrivilege	1504	msiexec.exe
Token: SeCreateTokenPrivilege	1504	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1504 msiexec.exe

pid	process
1504	msiexec.exe

Suspicious use of WriteProcessMemory 120 IoCs

Processes:

3ca6df4914385efd4ba9cd239b5ed254.exesetup.exealiens.exemsiexec.execmd.exe1E1C360C582DF797.exe1E1C360C582DF797.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1744 wrote to memory of 1144	1744	3ca6df4914385efd4ba9cd239b5ed254.exe	setup.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1144 wrote to memory of 1672	1144	setup.exe	aliens.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 1672 wrote to memory of 1504	1672	aliens.exe	msiexec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 340 wrote to memory of 1064	340	msiexec.exe	MsiExec.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1276	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 516	1672	aliens.exe	1E1C360C582DF797.exe
PID 1672 wrote to memory of 1760	1672	aliens.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	aliens.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	aliens.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	aliens.exe	cmd.exe
PID 1760 wrote to memory of 1860	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1860	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1860	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1860	1760	cmd.exe	PING.EXE
PID 516 wrote to memory of 1300	516	1E1C360C582DF797.exe	cmd.exe
PID 516 wrote to memory of 1300	516	1E1C360C582DF797.exe	cmd.exe
PID 516 wrote to memory of 1300	516	1E1C360C582DF797.exe	cmd.exe
PID 516 wrote to memory of 1300	516	1E1C360C582DF797.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1276 wrote to memory of 1876	1276	1E1C360C582DF797.exe	firefox.exe
PID 1300 wrote to memory of 1448	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1448	1300	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\3ca6df4914385efd4ba9cd239b5ed254.exe
"C:\Users\Admin\AppData\Local\Temp\3ca6df4914385efd4ba9cd239b5ed254.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\sib560.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib560.tmp\0\setup.exe" -s
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files (x86)\71eza90awf48\aliens.exe
"C:\Program Files (x86)\71eza90awf48\aliens.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1504

C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe 0011 installp3
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:1876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:1656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:1244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
5⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1696

C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200

C:\Users\Admin\AppData\Local\Temp\is-9RILE.tmp\23E04C4F32EF2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9RILE.tmp\23E04C4F32EF2158.tmp" /SL5="$6016C,755315,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe 200 installp3
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe"
5⤵
PID:616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\71eza90awf48\aliens.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:1860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ADBB5EC15F4D8C273C31D7AA7691240F C
2⤵
- Loads dropped DLL
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\71eza90awf48\aliens.exe
MD5
96d0292b4f6329be6be4f422b7b3aba9

SHA1
065fef91ef2096f99a7c358a55691664cb80f210

SHA256
7bcfb2c772d17a1ce76139151dbe6803bbe3ad947f55532d51d849456bbf24b4

SHA512
bcc4a4bb30bcabcbad70840245f3223243e6312ecf324ec5d5f2af2f2a93447ae9d54ac04ae2a3c3717548f95c9c8634b42c97d4f66d84eee7ffd23045a3fbfc

Download Submit
C:\Program Files (x86)\71eza90awf48\aliens.exe
MD5
b15c6ac75be105aacd08501618e5f183

SHA1
90c6ca1fda402770f5ce757647697a25619d844e

SHA256
a9b3e3fb9a38cce00a10a5a696e3bbbc15f93e44604dffdd22fd6af5c172094d

SHA512
95c20b395f5bdc66f349d0d2747d41e03a34a5bc8a5f593bc915ba55aea7c47a8627b63596dcf91457145e22b289c3d7cc955962b1377d682af6cb4089a760d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
b4594c6ddf250dcd12f1a210e1600fa1

SHA1
f553ee00440348f39d6d80da29c1598ddc57ebd1

SHA256
9ee729ba4292800685641d6f13f875a28839030e11da99f883da481533f78916

SHA512
683562b84ff437e8b8396690d31444e59994ec2902e708dfaffa017d1f139ad13325fb552fc2ec443b15f3815157f8c9f60d878a49d2fc7c3401e99aba1fbea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
319950675179b2b7aed84f31c72e6132

SHA1
975660ad4c102576ba1ab17bbcbb2f878df7be6d

SHA256
e3bb3300d70ed58af114729a99d32e74c925f2878cb39ae2c5282a09c9658ad3

SHA512
1f1adc03e3ef8dc76fb7459bebe6213f81e2664ba67dc8956c53796b5de0afd80ea50a5851f77edf874802e4c34c7a01c53c8327b44e743bbbf883b92a6eb746

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
0173786423fb89b5673f0a97351ddc8f

SHA1
795b0beafc9d3a1fb3cb2ebca530bbb95ce19a39

SHA256
559f9d208d5ae1f3c3687939987363642108f2252e35a8428bd4d519d07f6238

SHA512
09861a0a8fd2dfca14ce75b7c03555838c2c6560996d03a7791a1eb9aba5d331c62351b22b223482b1605bab82d3aee24d8ca31b16f734963ce2ae15e419c17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
MD5
b3168e0f538dd71b4304ddf687fbf249

SHA1
5b7e05c133bd3861198afc3d027dec1a5d06ef0a

SHA256
5a4c29fe6dc862807fc88804b5b1735e681c47c3491c07d9096b12c3c5d11f46

SHA512
c8fff0fd1408d441d0e89c1b26681e11450b81db7364124158b17ea0c246cddfaf3486daea24393acb8c69ab5e18e759a78e990121d9f5de98c600ea2906d00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6ECA.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9RILE.tmp\23E04C4F32EF2158.tmp
MD5
ef49867c7653e40fe902666dedb745af

SHA1
2fb3bcbd72c950d731fbd2cd5241002d475195b2

SHA256
b451d25b25b3ffaa210cd21ebe90a432e080e272f6392d2dfabb9cf891dc5038

SHA512
e2ff0bbe7c5cbb85bf80012760c6cdee8d2a57cfd1ca2772c2a46c5cb23e56ddb8e5f981f1a6e74d63d4a35c6701c350ea6fb4babd45e8eff56b9a1d61d5699c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib560.tmp\0\setup.exe
MD5
69c9ba53239d6838d05594d96a36dea3

SHA1
3de1717040c9803ff67ef6c0cd218b45fd051ca8

SHA256
cfaade4b15040d0ec25112e808aaada0bbdc378b5e4439d8c7620fedb6359ca1

SHA512
fc86c62a014b11139476cf658b6ef97ab210d2a2e8b4128e58d9a186037764b328e819a345606272d5bdfdfe7729f402631214d9371be0b60ebb7f45fcc90141

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib560.tmp\0\setup.exe
MD5
69c9ba53239d6838d05594d96a36dea3

SHA1
3de1717040c9803ff67ef6c0cd218b45fd051ca8

SHA256
cfaade4b15040d0ec25112e808aaada0bbdc378b5e4439d8c7620fedb6359ca1

SHA512
fc86c62a014b11139476cf658b6ef97ab210d2a2e8b4128e58d9a186037764b328e819a345606272d5bdfdfe7729f402631214d9371be0b60ebb7f45fcc90141

Download Submit
\Program Files (x86)\71eza90awf48\aliens.exe
MD5
98f48f397d15e9e4ecb33dfe91fbed48

SHA1
1de1099b96881214afeefbd974abf926c370229a

SHA256
403c475ae1aa5b5008bfc737c5067bb409b5bbd7c49c29f7f73c4c01232cf27f

SHA512
c083a551f37b2c09d13c2450d751b28b0d428ab3adc4b216e57222e7c6aaf70f82dddac09f4bc3659c7b645281e3b6010f0ce7fb7a68c104ea42da80254fe1b7

Download Submit
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
ecc676d5b271627ccaf6d06b377407df

SHA1
357320f74a3dba60562ad90f861facf83aaa0ccf

SHA256
25a168af798d85c8673b4dd309c26acaeb72c8cd8bcb9709ae885c69f96f6fcb

SHA512
9a313c0ac3e2db5ae0e1db1459156c11f9c4d4f69349256d8a73499d79971ebf9aa08a8d26a6ee699107128a1bb4678b6f80ac5d9d5d154d56c9713a064cdfff

Download Submit
\Users\Admin\AppData\Local\Temp\1E1C360C582DF797.exe
MD5
bb6aa695dc31f6bf9a66df89f68d5bec

SHA1
edfacfc19178fb3bdba48181393597bb3c27a14e

SHA256
5666b4465d1908c6186eca36f0c096138fb2e44ae4de154c3bcc34d3c2d5c99c

SHA512
874f91579e08d68b2f97dd3939f11b89a7cd1c5ff8b093549677ee05c497641564194f9295329fa2396bcecdc1090afc084dfdd5af36587cc7f0c58a865fc190

Download Submit
\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
MD5
b3168e0f538dd71b4304ddf687fbf249

SHA1
5b7e05c133bd3861198afc3d027dec1a5d06ef0a

SHA256
5a4c29fe6dc862807fc88804b5b1735e681c47c3491c07d9096b12c3c5d11f46

SHA512
c8fff0fd1408d441d0e89c1b26681e11450b81db7364124158b17ea0c246cddfaf3486daea24393acb8c69ab5e18e759a78e990121d9f5de98c600ea2906d00c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6ECA.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
\Users\Admin\AppData\Local\Temp\is-9RILE.tmp\23E04C4F32EF2158.tmp
MD5
ef49867c7653e40fe902666dedb745af

SHA1
2fb3bcbd72c950d731fbd2cd5241002d475195b2

SHA256
b451d25b25b3ffaa210cd21ebe90a432e080e272f6392d2dfabb9cf891dc5038

SHA512
e2ff0bbe7c5cbb85bf80012760c6cdee8d2a57cfd1ca2772c2a46c5cb23e56ddb8e5f981f1a6e74d63d4a35c6701c350ea6fb4babd45e8eff56b9a1d61d5699c

Download Submit
\Users\Admin\AppData\Local\Temp\nsx436.tmp\Sibuia.dll
MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
\Users\Admin\AppData\Local\Temp\sib560.tmp\0\setup.exe
MD5
69c9ba53239d6838d05594d96a36dea3

SHA1
3de1717040c9803ff67ef6c0cd218b45fd051ca8

SHA256
cfaade4b15040d0ec25112e808aaada0bbdc378b5e4439d8c7620fedb6359ca1

SHA512
fc86c62a014b11139476cf658b6ef97ab210d2a2e8b4128e58d9a186037764b328e819a345606272d5bdfdfe7729f402631214d9371be0b60ebb7f45fcc90141

Download Submit
\Users\Admin\AppData\Local\Temp\sib560.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\AppData\Local\Temp\sib560.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll
MD5
208662418974bca6faab5c0ca6f7debf

SHA1
db216fc36ab02e0b08bf343539793c96ba393cf1

SHA256
a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5

SHA512
8a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03

Download Submit
memory/516-32-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/516-35-0x0000000003380000-0x0000000003831000-memory.dmp

Filesize
4.7MB

Download
memory/516-28-0x0000000000000000-mapping.dmp

Download
memory/616-42-0x0000000000000000-mapping.dmp

Download
memory/1064-21-0x0000000000000000-mapping.dmp

Download
memory/1144-10-0x0000000000000000-mapping.dmp

Download
memory/1180-77-0x0000000000000000-mapping.dmp

Download
memory/1200-74-0x0000000000000000-mapping.dmp

Download
memory/1244-46-0x000000013F8F8270-mapping.dmp

Download
memory/1264-43-0x0000000000000000-mapping.dmp

Download
memory/1276-25-0x0000000000000000-mapping.dmp

Download
memory/1276-36-0x0000000003200000-0x00000000036B1000-memory.dmp

Filesize
4.7MB

Download
memory/1300-37-0x0000000000000000-mapping.dmp

Download
memory/1324-41-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1448-40-0x0000000000000000-mapping.dmp

Download
memory/1504-18-0x0000000000000000-mapping.dmp

Download
memory/1504-20-0x00000000031C0000-0x00000000031C4000-memory.dmp

Filesize
16KB

Download
memory/1528-48-0x000000013F968270-mapping.dmp

Download
memory/1656-44-0x000000013F978270-mapping.dmp

Download
memory/1672-14-0x0000000000000000-mapping.dmp

Download
memory/1672-17-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1696-58-0x0000000000000000-mapping.dmp

Download
memory/1696-79-0x000000000C8F0000-0x000000000C8F1000-memory.dmp

Filesize
4KB

Download
memory/1744-8-0x000000000E510000-0x000000000E511000-memory.dmp

Filesize
4KB

Download
memory/1744-6-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1744-3-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-30-0x0000000000000000-mapping.dmp

Download
memory/1860-33-0x0000000000000000-mapping.dmp

Download
memory/1876-38-0x000000013F7C8270-mapping.dmp

Download
memory/1876-39-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1996-51-0x0000000000000000-mapping.dmp

Download