Malware Analysis Report

2024-07-11 07:37

Sample ID 240320-spgxsabe73
Target Injected_LoadExe_Malware.zip
SHA256 3244606c4d740afa7a0c8f5e89a99c9ed8940103213451e23c1d9af3c89e3f75
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3244606c4d740afa7a0c8f5e89a99c9ed8940103213451e23c1d9af3c89e3f75

Threat Level: Known bad

The file Injected_LoadExe_Malware.zip was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-20 15:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 15:17

Reported

2024-03-20 15:19

Platform

win7-20240221-en

Max time kernel

19s

Max time network

20s

Command Line

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe Injected_LoadExe_Malware.bin

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0108000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDecisionTime = a07a8fe8d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\b6-69-76-97-d1-8d C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadDecisionTime = a07a8fe8d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0108000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadDecisionTime = c0c44eecd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDecisionTime = c0c44eecd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDecisionTime = 10a3f4efd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0108000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-69-76-97-d1-8d\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCFD5F3F-5F50-4629-80C3-7C48C1930F45}\WpadDecisionTime = 10a3f4efd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43004300430032003700310031003700390045003400360034004400460039000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 1032 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2564 wrote to memory of 2692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2692 wrote to memory of 2132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe Injected_LoadExe_Malware.bin

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2692

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/1680-22-0x0000000001200000-0x000000000124B000-memory.dmp

memory/1680-23-0x00000000005F0000-0x0000000000629000-memory.dmp

memory/1680-29-0x0000000000770000-0x00000000007C8000-memory.dmp

C:\log\haha.txt

MD5 ac7273c4620dd06fe8e2bb1a624d7476
SHA1 0b598d9ec682b1c8f0d1c08c285631641419c6c6
SHA256 f913513ffcfe906bd3c65a7d410aa1b8cc6302b5fb2cf23a46999f3f6d9aa342
SHA512 232fe41149f4c02974a33de69e6ad149af4b9a052598bc8311c71123207a0f9f004bb412e2714e9daff794904d08e782207bca852d9dfa0caea6184576bc74f6

memory/2564-59-0x0000000000750000-0x00000000007A8000-memory.dmp

\??\c:\log\haha.txt

MD5 d5bdca37c3c1f51968aa4c3e3c04160c
SHA1 367eb307289d86d2d1cb784238806447a602365c
SHA256 6780c864f73a4fde44a59d2d1f0806ce64cf9cf4c2880c8d902c05c4630d8057
SHA512 086cb959140d547d6dbc4988ed8403cfa446ae5e1ec683cd42d20645565edb80097f68c2deca64d2d9bc7fada7a92e68089d3f5dd608f0204fc5691b47b85901

memory/2564-54-0x0000000000A80000-0x0000000000ACB000-memory.dmp

C:\log\haha.txt

MD5 97a6f7c248f42672f01bd1f73f56349f
SHA1 969e5433b06ee4f64479a942d50cc547282ae843
SHA256 02fb6c00824864a9d92ad0aea7676435a246b4bf17d595353550f13a194ef2e5
SHA512 ff851ea573d13b69ae7cf48ef712eb21bc9f84c8ed38ed637828ff469f951ef18fa240ec65e2382f93446dfa72556996ef41bc426f14d2e58da816e88da2778f

memory/2692-66-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2692-69-0x00000000000A0000-0x00000000000D6000-memory.dmp

memory/2692-71-0x00000000000E0000-0x00000000000E2000-memory.dmp

memory/2692-73-0x0000000000080000-0x0000000000081000-memory.dmp

\??\c:\log\haha.txt

MD5 51431849eb93ea035c73263eebcc1143
SHA1 a47a4d25f97a34fe3c63958d49129d31643b7813
SHA256 7365cc413ae75e3a2d4baed6dc4393be9218834d373577d8ae93575d7ac2a476
SHA512 9192e2b1227615c4a5512b187a4645633e44688af14b0443db9aae99375e8b94e355362a9b825faf5fe98333e8fdb6a8e14357c94f6414cb210eb941fd266e91

memory/2692-79-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2564-92-0x0000000000750000-0x00000000007A8000-memory.dmp

\??\c:\log\haha.txt

MD5 6f5a3eabdeb952ad82f12b58a3feea15
SHA1 7d5ec075fae0e9d807aa4ed2cccfcab7a372c093
SHA256 d5a7d9d83c44c793d37aecc018d0486287a171e47eac60d830c32b215b3e7288
SHA512 87de0ae2450ac1e4c3df0167e8ba77bcca230cb5028645cf0900b6481b817f37dd6a4d2a3c6dbd4f400218ed291ae7f82163b1bb68acf6dcd80da7954650caf3

\??\c:\log\haha.txt

MD5 1de51f0b1f3d9cd6c3f5d9f1652403ec
SHA1 b09108267524884eb5c8a05e80c5fa54a71458d8
SHA256 8fe969fab115bf461f8ab4770c013170a97e6f1dc676592c749efd62b5badb30
SHA512 83a6bdc3a7996bf5f7f6d4f3518986514ed79f52c940aa4d88ea4ebf6b23c56848db39cdf24c1c3eb2b403fc38306b5cdc5d56acddf8cb3f4188656b669c8600

\??\c:\log\haha.txt

MD5 29d41085e30f51a751b532be1781385f
SHA1 c65319d9adb18a209e854bb28faeea32393effba
SHA256 8369e014c01cd450546a7bbe8c91376095f5c5eb05b1eb74a70b453a7529de8a
SHA512 3d5bef01a564261bc942f6dea0a6bc52226c9a10b3518bfd34a27d29e384ceee7fdc74d2a0fae5aaf3b51777b5ce1fefcb362e7a6b796fd064077736ebd08e16

memory/1680-95-0x0000000000770000-0x00000000007C8000-memory.dmp

memory/2692-98-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-108-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2692-109-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-110-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-113-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-120-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-123-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-126-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2692-131-0x0000000000450000-0x00000000004A8000-memory.dmp

\??\c:\log\haha.txt

MD5 8ff0b388b77c9ebe385009e07ceffc33
SHA1 d58abdfd0cab91bdaa31d9a5d8ba2af21725caf1
SHA256 d8aa3ebb0488b8447221e507d0be445d6e2aa6d097d006d4eaac52a2d1125fc5
SHA512 bbae63ca49aea9ba26b7fa05e696024440f89d7be92e7633aebf8fbdb6ec8947a7ef1b46656027ba5bb19205d5c74e929d6727dd359f9ba2888b52462728002e

memory/2132-165-0x0000000000360000-0x00000000003B8000-memory.dmp

memory/2132-160-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2132-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2132-172-0x0000000000360000-0x00000000003B8000-memory.dmp

memory/2132-173-0x0000000000360000-0x00000000003B8000-memory.dmp

\??\c:\log\haha.txt

MD5 99002283b4d06a615ffbe1f530caca77
SHA1 bd5e3b92904101cbd5b9b9a486410b9ea2b27fc1
SHA256 6c884dd5017f7e767218aab9eca2c914ff87a853ff3e303cf6d4104d3302e9da
SHA512 2ecc62bfa48d7726f922a9b191e5aec099c95f233cfe01baa7d068def0b35068c9fc6df943377316fd25ffc7350b9382a6541bf461ae7454aac9bd42d188267a

memory/2692-181-0x0000000000450000-0x00000000004A8000-memory.dmp

memory/2132-272-0x0000000000360000-0x00000000003B8000-memory.dmp

memory/2276-280-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/1804-293-0x0000000002AB0000-0x0000000002AB1000-memory.dmp