aebd263f2c619f822024952554aace5a85b2db620e567d5c6065db62683e3c22

Analysis

max time kernel
150s
max time network
141s
platform
windows10_x64
resource
win10v20210408
submitted
16-07-2021 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe
Size

6.4MB
MD5

f8955d98605d27a397492f0cedbb55f3
SHA1

058c7a9ace05fbd7d8105033c675bdfa90a9c379
SHA256

43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f
SHA512

5664b483d65aabad7b09547a90ed2de8758038d1e048e729e6025604bf795995e521aca4474a4a18d6d6c5d94a34e46f4f3bfc809c18f1ed747592f86b2149d3

Score

9^/10

bootkit evasion macro persistence spyware stealer trojan xlm

Malware Config

Signatures

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1626470524511.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1626470524511.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1626470527152.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1626470527152.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1626470533761.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1626470533761.exe	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

002.exeSetup.exesetup.exealiens.exejg2_2qua.exeE128AF959BD8F940.exeE128AF959BD8F940.exe1626470524511.exe1626470527152.exe1626470533761.exe

pid	process
3592	002.exe
2212	Setup.exe
804	setup.exe
1212	aliens.exe
1480	jg2_2qua.exe
2504	E128AF959BD8F940.exe
2604	E128AF959BD8F940.exe
4596	1626470524511.exe
1336	1626470527152.exe
632	1626470533761.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 4 IoCs

Processes:

Setup.exeMsiExec.exe

pid process

2212 Setup.exe
2212 Setup.exe
2212 Setup.exe
4052 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2212	Setup.exe
2212	Setup.exe
2212	Setup.exe
4052	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

aliens.exeE128AF959BD8F940.exeE128AF959BD8F940.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E128AF959BD8F940.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

aliens.exeE128AF959BD8F940.exeE128AF959BD8F940.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	E128AF959BD8F940.exe
File opened for modification	\??\PhysicalDrive0	E128AF959BD8F940.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

1212 aliens.exe

pid	process
1212	aliens.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

E128AF959BD8F940.exe

description	pid	process	target process
PID 2504 set thread context of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 set thread context of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 set thread context of 2668	2504	E128AF959BD8F940.exe	firefox.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\z2mk9vdia0gw	setup.exe
File created	C:\Program Files (x86)\z2mk9vdia0gw\__tmp_rar_sfx_access_check_259325828	setup.exe
File created	C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E128AF959BD8F940.exeE128AF959BD8F940.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	E128AF959BD8F940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	E128AF959BD8F940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	E128AF959BD8F940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	E128AF959BD8F940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	E128AF959BD8F940.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	E128AF959BD8F940.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4508 taskkill.exe

pid	process
4508	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

aliens.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4032 PING.EXE
212 PING.EXE
4080 PING.EXE

pid	process
4032	PING.EXE
212	PING.EXE
4080	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1626470524511.exe1626470527152.exe1626470533761.exeE128AF959BD8F940.exe

pid	process
4596	1626470524511.exe
4596	1626470524511.exe
1336	1626470527152.exe
1336	1626470527152.exe
632	1626470533761.exe
632	1626470533761.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe
2504	E128AF959BD8F940.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1764	msiexec.exe
Token: SeSecurityPrivilege	2360	msiexec.exe
Token: SeCreateTokenPrivilege	1764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1764	msiexec.exe
Token: SeLockMemoryPrivilege	1764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1764	msiexec.exe
Token: SeMachineAccountPrivilege	1764	msiexec.exe
Token: SeTcbPrivilege	1764	msiexec.exe
Token: SeSecurityPrivilege	1764	msiexec.exe
Token: SeTakeOwnershipPrivilege	1764	msiexec.exe
Token: SeLoadDriverPrivilege	1764	msiexec.exe
Token: SeSystemProfilePrivilege	1764	msiexec.exe
Token: SeSystemtimePrivilege	1764	msiexec.exe
Token: SeProfSingleProcessPrivilege	1764	msiexec.exe
Token: SeIncBasePriorityPrivilege	1764	msiexec.exe
Token: SeCreatePagefilePrivilege	1764	msiexec.exe
Token: SeCreatePermanentPrivilege	1764	msiexec.exe
Token: SeBackupPrivilege	1764	msiexec.exe
Token: SeRestorePrivilege	1764	msiexec.exe
Token: SeShutdownPrivilege	1764	msiexec.exe
Token: SeDebugPrivilege	1764	msiexec.exe
Token: SeAuditPrivilege	1764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1764	msiexec.exe
Token: SeChangeNotifyPrivilege	1764	msiexec.exe
Token: SeRemoteShutdownPrivilege	1764	msiexec.exe
Token: SeUndockPrivilege	1764	msiexec.exe
Token: SeSyncAgentPrivilege	1764	msiexec.exe
Token: SeEnableDelegationPrivilege	1764	msiexec.exe
Token: SeManageVolumePrivilege	1764	msiexec.exe
Token: SeImpersonatePrivilege	1764	msiexec.exe
Token: SeCreateGlobalPrivilege	1764	msiexec.exe
Token: SeCreateTokenPrivilege	1764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1764	msiexec.exe
Token: SeLockMemoryPrivilege	1764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1764	msiexec.exe
Token: SeMachineAccountPrivilege	1764	msiexec.exe
Token: SeTcbPrivilege	1764	msiexec.exe
Token: SeSecurityPrivilege	1764	msiexec.exe
Token: SeTakeOwnershipPrivilege	1764	msiexec.exe
Token: SeLoadDriverPrivilege	1764	msiexec.exe
Token: SeSystemProfilePrivilege	1764	msiexec.exe
Token: SeSystemtimePrivilege	1764	msiexec.exe
Token: SeProfSingleProcessPrivilege	1764	msiexec.exe
Token: SeIncBasePriorityPrivilege	1764	msiexec.exe
Token: SeCreatePagefilePrivilege	1764	msiexec.exe
Token: SeCreatePermanentPrivilege	1764	msiexec.exe
Token: SeBackupPrivilege	1764	msiexec.exe
Token: SeRestorePrivilege	1764	msiexec.exe
Token: SeShutdownPrivilege	1764	msiexec.exe
Token: SeDebugPrivilege	1764	msiexec.exe
Token: SeAuditPrivilege	1764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1764	msiexec.exe
Token: SeChangeNotifyPrivilege	1764	msiexec.exe
Token: SeRemoteShutdownPrivilege	1764	msiexec.exe
Token: SeUndockPrivilege	1764	msiexec.exe
Token: SeSyncAgentPrivilege	1764	msiexec.exe
Token: SeEnableDelegationPrivilege	1764	msiexec.exe
Token: SeManageVolumePrivilege	1764	msiexec.exe
Token: SeImpersonatePrivilege	1764	msiexec.exe
Token: SeCreateGlobalPrivilege	1764	msiexec.exe
Token: SeCreateTokenPrivilege	1764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1764	msiexec.exe
Token: SeLockMemoryPrivilege	1764	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1764 msiexec.exe

pid	process
1764	msiexec.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

002.exeSetup.exesetup.exealiens.exeE128AF959BD8F940.exeE128AF959BD8F940.exefirefox.exe1626470524511.exefirefox.exe1626470527152.exefirefox.exe1626470533761.exe

pid	process
3592	002.exe
3592	002.exe
2212	Setup.exe
804	setup.exe
1212	aliens.exe
2504	E128AF959BD8F940.exe
2604	E128AF959BD8F940.exe
4332	firefox.exe
4596	1626470524511.exe
4548	firefox.exe
1336	1626470527152.exe
2668	firefox.exe
632	1626470533761.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exeSetup.exesetup.exealiens.exemsiexec.execmd.exeE128AF959BD8F940.exeE128AF959BD8F940.execmd.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 3592	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	002.exe
PID 4648 wrote to memory of 3592	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	002.exe
PID 4648 wrote to memory of 3592	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	002.exe
PID 4648 wrote to memory of 2212	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	Setup.exe
PID 4648 wrote to memory of 2212	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	Setup.exe
PID 4648 wrote to memory of 2212	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	Setup.exe
PID 2212 wrote to memory of 804	2212	Setup.exe	setup.exe
PID 2212 wrote to memory of 804	2212	Setup.exe	setup.exe
PID 2212 wrote to memory of 804	2212	Setup.exe	setup.exe
PID 804 wrote to memory of 1212	804	setup.exe	aliens.exe
PID 804 wrote to memory of 1212	804	setup.exe	aliens.exe
PID 804 wrote to memory of 1212	804	setup.exe	aliens.exe
PID 4648 wrote to memory of 1480	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	jg2_2qua.exe
PID 4648 wrote to memory of 1480	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	jg2_2qua.exe
PID 4648 wrote to memory of 1480	4648	43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe	jg2_2qua.exe
PID 1212 wrote to memory of 1764	1212	aliens.exe	msiexec.exe
PID 1212 wrote to memory of 1764	1212	aliens.exe	msiexec.exe
PID 1212 wrote to memory of 1764	1212	aliens.exe	msiexec.exe
PID 1212 wrote to memory of 2504	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 2504	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 2504	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 2604	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 2604	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 2604	1212	aliens.exe	E128AF959BD8F940.exe
PID 1212 wrote to memory of 3060	1212	aliens.exe	cmd.exe
PID 1212 wrote to memory of 3060	1212	aliens.exe	cmd.exe
PID 1212 wrote to memory of 3060	1212	aliens.exe	cmd.exe
PID 2360 wrote to memory of 4052	2360	msiexec.exe	MsiExec.exe
PID 2360 wrote to memory of 4052	2360	msiexec.exe	MsiExec.exe
PID 2360 wrote to memory of 4052	2360	msiexec.exe	MsiExec.exe
PID 3060 wrote to memory of 4032	3060	cmd.exe	PING.EXE
PID 3060 wrote to memory of 4032	3060	cmd.exe	PING.EXE
PID 3060 wrote to memory of 4032	3060	cmd.exe	PING.EXE
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4332	2504	E128AF959BD8F940.exe	firefox.exe
PID 2604 wrote to memory of 4392	2604	E128AF959BD8F940.exe	cmd.exe
PID 2604 wrote to memory of 4392	2604	E128AF959BD8F940.exe	cmd.exe
PID 2604 wrote to memory of 4392	2604	E128AF959BD8F940.exe	cmd.exe
PID 4392 wrote to memory of 4508	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 4508	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 4508	4392	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4616	2604	E128AF959BD8F940.exe	cmd.exe
PID 2604 wrote to memory of 4616	2604	E128AF959BD8F940.exe	cmd.exe
PID 2604 wrote to memory of 4616	2604	E128AF959BD8F940.exe	cmd.exe
PID 2504 wrote to memory of 4596	2504	E128AF959BD8F940.exe	1626470524511.exe
PID 2504 wrote to memory of 4596	2504	E128AF959BD8F940.exe	1626470524511.exe
PID 2504 wrote to memory of 4596	2504	E128AF959BD8F940.exe	1626470524511.exe
PID 4616 wrote to memory of 212	4616	cmd.exe	PING.EXE
PID 4616 wrote to memory of 212	4616	cmd.exe	PING.EXE
PID 4616 wrote to memory of 212	4616	cmd.exe	PING.EXE
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 4548	2504	E128AF959BD8F940.exe	firefox.exe
PID 2504 wrote to memory of 1336	2504	E128AF959BD8F940.exe	1626470527152.exe
PID 2504 wrote to memory of 1336	2504	E128AF959BD8F940.exe	1626470527152.exe
PID 2504 wrote to memory of 1336	2504	E128AF959BD8F940.exe	1626470527152.exe
PID 2504 wrote to memory of 2668	2504	E128AF959BD8F940.exe	firefox.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe
"C:\Users\Admin\AppData\Local\Temp\43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\sibF729.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sibF729.tmp\0\setup.exe" -s
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe
"C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1764

C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe
C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Users\Admin\AppData\Roaming\1626470524511.exe
"C:\Users\Admin\AppData\Roaming\1626470524511.exe" /sjson "C:\Users\Admin\AppData\Roaming\1626470524511.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Users\Admin\AppData\Roaming\1626470527152.exe
"C:\Users\Admin\AppData\Roaming\1626470527152.exe" /sjson "C:\Users\Admin\AppData\Roaming\1626470527152.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Users\Admin\AppData\Roaming\1626470533761.exe
"C:\Users\Admin\AppData\Roaming\1626470533761.exe" /sjson "C:\Users\Admin\AppData\Roaming\1626470533761.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe"
6⤵
PID:576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4080

C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe
C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4508

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4032

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe"
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46A0F7F67FFE623FB085D4C95C9BE5EB C
2⤵
- Loads dropped DLL
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe
MD5
ebe87f03856dfeb324b106af7ca25570

SHA1
a696885f5da510072672db0e5c889c4d17de4af5

SHA256
138721b78f8e8e9fb00532ef4a4bfd139aa7d541bc9e847a228c07321c48458e

SHA512
80eaa2e944f0e892e80e8f40162fd489de9a585334d557fcf90c5758c41022540930f01621bf9ffdcf67158a0f0fa80485b2f9d4a5612dee183276520d062f80

Download Submit
C:\Program Files (x86)\z2mk9vdia0gw\aliens.exe
MD5
7f359cbe94d1412df7e22de97481827c

SHA1
d9346ad191a311c71545304400f52154702cb361

SHA256
a740c33a70dbe30273953a130133ea4aefe568dfacce99f212a02c0118cc5817

SHA512
a6ff7ac07f3a8b9ccab5229942c7b51f5c538a90a1267f8f1ded0b7b816451bcc6fcf7f7989344d303687f1c564b97c187d3e273675b1d2c8300609f257ac415

Download Submit
C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe
MD5
71ef20599c5f88d268c4f86f978dcfb7

SHA1
26c5b87fb300a6e347d4ab0feb70ff2b5a6a22c9

SHA256
7f8264670f829b09572a656c7a6a58a922c57ff3d10beb11b23d9496b4b86dab

SHA512
10090257851ef072b039b2576ae944eb0872226f0d8ae1c3044e480074eadedc84a3c2a2273e228e98be1b49b3cbc817b8cb214be06d341ca9269abd050b8917

Download Submit
C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe
MD5
4700891eb5273f4ac517d8c095307d2c

SHA1
f62e42d675e707facd7ce4735d294ed32b5ec388

SHA256
7762009fa7cfe064aae079544923490b725f03d72eafc54e769008c287926f55

SHA512
da51fe4e47e940ab1e3cce587cb8934712b957d1efeeaf2afbb90a4f63428f6e781884bf1a1a8b2f00dfda909315e98ae00b5962f641b6920b77dc9d6eb6f58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E128AF959BD8F940.exe
MD5
3d045483d7bc5a91f5eb2278f2568c70

SHA1
cbaba426f9dfd6e66f9fbb4c31477a34adcddf7e

SHA256
fbb75971f9937307905095ceea3c4553336c90b51648f4a53dd63a1841130abe

SHA512
2982ef3bf9527e9f510a7aef01cfeb55c038d321fcc60d081b03a40f866e1950fd90229ca19329e44bc5378f25b1bbe0950a1357d22e862ab31f918569676f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI33E2.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
MD5
ddd8a43c5cd1d648af5bfbd67c718261

SHA1
37c915768cb12f54b60eac36cd4c008d7b3340b6

SHA256
159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786

SHA512
08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
MD5
ddd8a43c5cd1d648af5bfbd67c718261

SHA1
37c915768cb12f54b60eac36cd4c008d7b3340b6

SHA256
159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786

SHA512
08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
bd5ddd337fd7221911525c12d802f557

SHA1
b69a8b6d37ba121461dd3500f9e32a42c5bce64e

SHA256
ec860d33de13219384d6be4a47f62c42247484671cda2740ce6f0da9e3201c17

SHA512
dd51a1d90ceed56a427d198f47ba3ec6ea4146226623ea8c7feb65ae95a66dcebdc8f3ba33760af2e5a93b1417906ccf95ac52da7fa6f52e12d473407c2429ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
MD5
bd5ddd337fd7221911525c12d802f557

SHA1
b69a8b6d37ba121461dd3500f9e32a42c5bce64e

SHA256
ec860d33de13219384d6be4a47f62c42247484671cda2740ce6f0da9e3201c17

SHA512
dd51a1d90ceed56a427d198f47ba3ec6ea4146226623ea8c7feb65ae95a66dcebdc8f3ba33760af2e5a93b1417906ccf95ac52da7fa6f52e12d473407c2429ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
MD5
19e76c8d8e32f57737165993b4ef11eb

SHA1
91cc156da1a552d50733b719ca085d0c707e09c9

SHA256
7a29f94121eb09732cde47609a503f746deea9dbfd58333fef6309e1800b12ae

SHA512
4945e9fefd2cc59a5ef5066b9249ee2ad8c314480d72a8b4043b72952973b6591d13de93574be68e3a2b29dd6190de55260ce2835d527b3edc59991f6ab561cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
MD5
19e76c8d8e32f57737165993b4ef11eb

SHA1
91cc156da1a552d50733b719ca085d0c707e09c9

SHA256
7a29f94121eb09732cde47609a503f746deea9dbfd58333fef6309e1800b12ae

SHA512
4945e9fefd2cc59a5ef5066b9249ee2ad8c314480d72a8b4043b72952973b6591d13de93574be68e3a2b29dd6190de55260ce2835d527b3edc59991f6ab561cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibF729.tmp\0\setup.exe
MD5
a2f8f15dc02e62b14fc3d0c5a7444b8a

SHA1
4c98c38b142e6d264bc26aa7c3139074234f15b8

SHA256
c552688299729c85e89d80402ea4ce82c7f7a09a1bf41aeb04c947e7abc32319

SHA512
a35607796edb1d836a970f5280bb2af60384fd18fbd76c2f793409f591b4703baac17b3e82e3ce32a0d242bdffcab78e489046f80c85a8db873f8de68ea15160

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibF729.tmp\0\setup.exe
MD5
a2f8f15dc02e62b14fc3d0c5a7444b8a

SHA1
4c98c38b142e6d264bc26aa7c3139074234f15b8

SHA256
c552688299729c85e89d80402ea4ce82c7f7a09a1bf41aeb04c947e7abc32319

SHA512
a35607796edb1d836a970f5280bb2af60384fd18fbd76c2f793409f591b4703baac17b3e82e3ce32a0d242bdffcab78e489046f80c85a8db873f8de68ea15160

Download Submit
C:\Users\Admin\AppData\Roaming\1626470524511.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470524511.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470524511.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1626470527152.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470527152.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470527152.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1626470533761.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470533761.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1626470533761.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
\Users\Admin\AppData\Local\Temp\MSI33E2.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF66D.tmp\Sibuia.dll
MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
\Users\Admin\AppData\Local\Temp\sibF729.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\AppData\Local\Temp\sibF729.tmp\SibClr.dll
MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
memory/212-198-0x0000000000000000-mapping.dmp

Download
memory/576-238-0x0000000000000000-mapping.dmp

Download
memory/632-215-0x0000000000000000-mapping.dmp

Download
memory/712-243-0x0000025073010000-0x0000025073011000-memory.dmp

Filesize
4KB

Download
memory/712-239-0x0000000010000000-0x00000000100B9000-memory.dmp

Filesize
740KB

Download
memory/804-130-0x0000000000000000-mapping.dmp

Download
memory/1212-145-0x0000000000000000-mapping.dmp

Download
memory/1212-151-0x0000000010000000-0x0000000010220000-memory.dmp

Filesize
2.1MB

Download
memory/1336-202-0x0000000000000000-mapping.dmp

Download
memory/1480-246-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/1480-148-0x0000000000000000-mapping.dmp

Download
memory/1480-217-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/1480-228-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/1480-236-0x0000000004610000-0x0000000004618000-memory.dmp

Filesize
32KB

Download
memory/1480-237-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/1480-245-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/1480-247-0x0000000003150000-0x00000000031B0000-memory.dmp

Filesize
384KB

Download
memory/1764-154-0x0000000000000000-mapping.dmp

Download
memory/2212-121-0x0000000000000000-mapping.dmp

Download
memory/2212-138-0x0000000010B43000-0x0000000010B44000-memory.dmp

Filesize
4KB

Download
memory/2212-139-0x0000000010B44000-0x0000000010B46000-memory.dmp

Filesize
8KB

Download
memory/2212-135-0x0000000010B40000-0x0000000010B41000-memory.dmp

Filesize
4KB

Download
memory/2212-140-0x0000000010B46000-0x0000000010B47000-memory.dmp

Filesize
4KB

Download
memory/2212-129-0x0000000010B50000-0x0000000010B51000-memory.dmp

Filesize
4KB

Download
memory/2212-136-0x0000000010B41000-0x0000000010B42000-memory.dmp

Filesize
4KB

Download
memory/2212-127-0x0000000010B10000-0x0000000010B11000-memory.dmp

Filesize
4KB

Download
memory/2504-181-0x0000000003645000-0x0000000003AA2000-memory.dmp

Filesize
4.4MB

Download
memory/2504-179-0x0000000003640000-0x0000000003AA3000-memory.dmp

Filesize
4.4MB

Download
memory/2504-160-0x0000000000000000-mapping.dmp

Download
memory/2604-163-0x0000000000000000-mapping.dmp

Download
memory/2604-178-0x0000000003540000-0x00000000039A3000-memory.dmp

Filesize
4.4MB

Download
memory/2668-234-0x000002DA70C30000-0x000002DA70C31000-memory.dmp

Filesize
4KB

Download
memory/2668-212-0x00007FF648C78270-mapping.dmp

Download
memory/3060-165-0x0000000000000000-mapping.dmp

Download
memory/3592-119-0x00000000024D0000-0x00000000025D0000-memory.dmp

Filesize
1024KB

Download
memory/3592-116-0x0000000000000000-mapping.dmp

Download
memory/3592-120-0x00000000025D0000-0x00000000026B3000-memory.dmp

Filesize
908KB

Download
memory/4032-169-0x0000000000000000-mapping.dmp

Download
memory/4052-166-0x0000000000000000-mapping.dmp

Download
memory/4080-244-0x0000000000000000-mapping.dmp

Download
memory/4332-184-0x00007FF648C78270-mapping.dmp

Download
memory/4332-188-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4332-193-0x0000028AFFFA0000-0x0000028AFFFA1000-memory.dmp

Filesize
4KB

Download
memory/4392-185-0x0000000000000000-mapping.dmp

Download
memory/4508-192-0x0000000000000000-mapping.dmp

Download
memory/4548-210-0x000002838C840000-0x000002838C841000-memory.dmp

Filesize
4KB

Download
memory/4548-200-0x00007FF648C78270-mapping.dmp

Download
memory/4596-195-0x0000000000000000-mapping.dmp

Download
memory/4616-194-0x0000000000000000-mapping.dmp

Download