f0aea3cb0f3ccb2d6c16a159338c1df9f1ccbf1ce570be5e1b2b044dd9469922

Analysis

max time kernel
70s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-10-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usbsafelyremovesetup_7-0-5.exe
Size

3.6MB
MD5

1160764fda32f71097accacf1d284a7d
SHA1

ba6306ab3e2291f14ae6be6014112c4e3937b0e6
SHA256

f0aea3cb0f3ccb2d6c16a159338c1df9f1ccbf1ce570be5e1b2b044dd9469922
SHA512

1d9ddbac61460c7a29981ec01d48795cea31f27f14211a3e91c7fee8eb54e025ad466cd8eb38add9537b776a1ca8bccc99348146d8dcd8f4fab15fb4270884dd
SSDEEP

49152:WofTTgeKBbzXgxqhD6g9ii5jDwVxs2jRZvUYbDYV8g5fMETmL1IzYDWs4tACsjv6:HrWzXPhi8wVPRZLbW5fX41XWsyRSSIvY

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3460	usbsafelyremovesetup_7-0-5.tmp
2284	USBSRService.exe
4068	USBSRService.exe
1068	USBSafelyRemove.exe
3876	USBSafelyRemove.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\USB Safely Remove = "\"C:\\Program Files (x86)\\USB Safely Remove\\USBSafelyRemove.exe\" /startup"	USBSafelyRemove.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\Desktop.ini	USBSafelyRemove.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-VLL7A.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Languages\is-DDN6H.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-0VF1P.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Velvet\is-88DRJ.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-LGNQ2.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-4OE4F.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-OHHU3.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-L5S0J.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-O4LBB.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-30IH7.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\unins000.dat	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-PP2Q8.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-I4UGT.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-V0ANB.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-IT58B.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-4JU36.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-HOBQS.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-I8RVI.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-9MOVV.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-13NUU.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-6HRMJ.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-0NJFF.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-G8LRR.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-51D0F.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\is-O5M7P.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-OCM86.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Velvet\is-R2KU9.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Velvet\is-LVOER.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-JLKSS.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-ELACA.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-O6Q1L.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-C421B.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Languages\is-41CNS.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-0SALK.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-R69VE.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-QQOCK.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Velvet\is-GRIN1.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-B8P5T.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-DMFH9.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-122C9.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\is-S1QIA.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-23G5L.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-JCPKP.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-SSOGI.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-HUENK.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-6SU61.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Languages\is-2RV8M.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-7V8UF.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-J954A.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-N6Q96.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-E0PEQ.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-FUHN6.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\is-T9H05.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-FOEIT.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-N8MEU.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-B9102.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-SRV01.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Dark\is-LG9EV.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-T2EVR.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-NIDUK.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Black Contrast\is-F8J6E.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-M4JJB.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\Skins\Classic\is-4T2KQ.tmp	usbsafelyremovesetup_7-0-5.tmp
File created	C:\Program Files (x86)\USB Safely Remove\DeviceImages\is-NDO6B.tmp	usbsafelyremovesetup_7-0-5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usbsafelyremovesetup_7-0-5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usbsafelyremovesetup_7-0-5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBSafelyRemove.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	USBSafelyRemove.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	USBSafelyRemove.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	USBSafelyRemove.exe
Token: SeDebugPrivilege	1068	USBSafelyRemove.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3460	usbsafelyremovesetup_7-0-5.tmp
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe
1068	USBSafelyRemove.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3460	1436	usbsafelyremovesetup_7-0-5.exe	78
PID 1436 wrote to memory of 3460	1436	usbsafelyremovesetup_7-0-5.exe	78
PID 1436 wrote to memory of 3460	1436	usbsafelyremovesetup_7-0-5.exe	78
PID 3460 wrote to memory of 2284	3460	usbsafelyremovesetup_7-0-5.tmp	80
PID 3460 wrote to memory of 2284	3460	usbsafelyremovesetup_7-0-5.tmp	80
PID 3460 wrote to memory of 1068	3460	usbsafelyremovesetup_7-0-5.tmp	82
PID 3460 wrote to memory of 1068	3460	usbsafelyremovesetup_7-0-5.tmp	82
PID 3460 wrote to memory of 1068	3460	usbsafelyremovesetup_7-0-5.tmp	82

C:\Users\Admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe
"C:\Users\Admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\is-ON47O.tmp\usbsafelyremovesetup_7-0-5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ON47O.tmp\usbsafelyremovesetup_7-0-5.tmp" /SL5="$50108,3231395,145920,C:\Users\Admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Program Files (x86)\USB Safely Remove\USBSRService.exe
    "C:\Program Files (x86)\USB Safely Remove\USBSRService.exe" /install /silent
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe
    "C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1068

C:\Program Files (x86)\USB Safely Remove\USBSRService.exe
"C:\Program Files (x86)\USB Safely Remove\USBSRService.exe"
1⤵
- Executes dropped EXE
PID:4068

C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe
"C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\USB Safely Remove\DeviceImages\Battery.ico

Filesize
14KB

MD5
c25501de265b8a6851cff9c98f14e516

SHA1
5d6a854b9fae8a245c52bd64e78ef3bbae6e3f39

SHA256
8f7d3b3774c73fdd67548074fd0bba864300b97d64a359d482138fc705118d25

SHA512
8de282142948b468799e8ae50fe6621e6c4f6e319d06cbc1abd8fd1590a2a0d887ec81cf9f90f9402404cf468092a65b4e8474fac41732a6499c2940e5e84f25

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Bluetooth.ico

Filesize
14KB

MD5
f8f80923b68c6c2e4266364a3fb9ccbe

SHA1
552cfa2fafc458c3019f0e981feaf64ebd88812c

SHA256
50b2b00a74bc3b8d68de0a4faf329e83d10ae79fdb83682326122b4ea3c9d702

SHA512
49a117dca92596193fab0db1b1bf76f0cfb82bd906fbd95118d6ec60152976d4092593aa4f84b351a5cb4856689cdfb3b5062209e6b9bc3e02cf3679c28d7fa2

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\CD-DVD player.ico

Filesize
14KB

MD5
2976b68a7b97816271f8bb50b24f3c75

SHA1
a7ead2e2044cef9b81f45a2df4efe562d164608f

SHA256
a32f608342a4836b7532a5da0a1923647881ac4914c45b368c6d5773773bda0a

SHA512
ce0c9b11d2536c8215a950be96e7817ae71d867e732251f07040c6a1c2487fdbd40af8775fb9f5b077601dd9d63f2734f2390077828363476595e6eca625d071

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Camera.ico

Filesize
14KB

MD5
d8910f4f491171f573b2af7b845e5eba

SHA1
b0288f872755d64c9a4b6250d23b7e120b968a8f

SHA256
2a63e1d5da2a9bad8e25f6cc2b078fe0fc6d12fa6da686a8f223702dfe91a94b

SHA512
14d54476671f4f4696376c8cb31f00754b1d5d8e772d130b48c69a47d86157062dde6464d1daac4233f8c800ae60c0db54e652bb4ac85fe8c23a848b4e1521de

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Card reader (black).ico

Filesize
14KB

MD5
9239c1197739f68db5bfc9f9c495deda

SHA1
e99c446b04bfa99da257af8b91518dac82541ea6

SHA256
8e26170f9f1a0838e4918cf4c8f9281a57aeac6cf682ec29c9b7654f8864c88a

SHA512
a74ff055c23b1bca5293be094dfb2cd01abe57046781880e451466736daed03b82bf7a4b1cb767f1f22717d44c5dd14ae6337b16568f31a0a79b2ed377ceb9b8

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Card reader (green).ico

Filesize
14KB

MD5
ce36e67d82f723b604d4df39fb91b89a

SHA1
b781118c0023d7cb0b5a23be19935a908ecf9c2f

SHA256
20e7414483748a8065581a7019ac2c63c805ffc3445b5568d93852d2fec417ef

SHA512
0efa4c13f88f1adeb1d3dc3ac995ee214f7a0ca0a2bbaf4a0ee05843c427ef455e5d8f60d6a969fbe801bbbc595f33666ffcc38291c3099fdc90c9d20d46471e

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Card reader (red).ico

Filesize
14KB

MD5
32f09e24498fd1700c96ad9f0655b04c

SHA1
10f7e9ad7a0fd6042be9fa228aaaaa177b64c5ce

SHA256
fd57abe1e508a0226f68b13ac2eca93a217e53e797df815ddfb432e377bf7a4b

SHA512
0e70076f4b210c924b4d81d1f35bc9b893bfff814e013d2ddc8c557de807c1f5d081d61075b4a1258034e7a4fa11a803ed93c32d4c8d9702d4bd920595d18e7b

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Card reader.ico

Filesize
14KB

MD5
7c5627f1f7dacb12ab9958c588fa118b

SHA1
2a6b0b425293bcae1413b1c5dae2b54f627d97ac

SHA256
83d361f19db28a193ff768228d38ee78e2e62af272e13b9bf34b31998b283dd3

SHA512
63128a3578a88549894b0c6c48b3858a8dda68dbb4346b6f8b91a34e8dc1326632df01aba5e14e4313865c7b398bd390fed9a7a48a910fbc5dfe953dd04f375d

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Fingerprint.ico

Filesize
14KB

MD5
9d73b1fb640178c884bdd915e17361a8

SHA1
8f6d16f5629e9e8f0727c1c30c360a8358545c9b

SHA256
5cb0fb71d99c9571737eab4eb4b90238d5eb1a54cf20c7d25d02384843f2776e

SHA512
787f7fb031675e82109b8f0a6404e429700dbcb9f3d4ac1feb87fe0e93fc481f92f2aa941242ce37a5f6e1dae571f5dd49854feaa6f15983f429e5ff7456ab41

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (black).ico

Filesize
14KB

MD5
30b2d7729f9de823220d1ded62de7af2

SHA1
585f3d0ebcb16106e3dcb739b046b2827054f2b0

SHA256
85438cc2006b0798eb8f8354b961e5c9bf66ebadd6832fc249dedbf9f6bb58dd

SHA512
a8badde1928a208d249c40090a740a0c17eb00babdb2e6c5a0f0e331a802ea3d4282e58b58b67609f6f9e617c4951683ab31a90242180c79ab6cc2454cf0ab49

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (gray).ico

Filesize
14KB

MD5
e1aa54e5c1246f7c77d442ce9d2a3fbe

SHA1
66bf30b1bb9a36c9cb7d80a11186b0ec801578fc

SHA256
323ac0e37c307092722747e24ce8ec08854a5a8be2c6a8f615dbdd488c9a97fe

SHA512
4ac12356e4b9cdb2428c477fe901d503701e76e9783974feadaab2425732043bed74f3b48a9a8d3fd3468bf86071e72e17e8eb72fcf3f74f8602ef1527915aa4

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (green).ico

Filesize
14KB

MD5
ecb108ea887db3e8790aadc588b5258a

SHA1
3d13f3139478a31d81444beaf0f514d97fa36872

SHA256
415acc89cafdf4dff3ea4b9ea637727ae1146661ad5c1101a9f7405a28904cb0

SHA512
e471a7c73fa26becebd10651aa0b8c48dd2030f593359151c7fd3cec7c85c0262bbda4226d674316b49768d8f48a45e952b4f8c5fd654634dd9a45f90cbe6586

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (light).ico

Filesize
14KB

MD5
72e092ec1bf538e885b56fe6b81929c3

SHA1
ec0889b811520a63492ba9deed786f9f0e775e50

SHA256
0c299e7246277b78d276cf056469ccf251191c9ea83ac5a02a4fd82725277faa

SHA512
b848bb913535c2f13147dbb25e943decdba90082fd7b0801b8721d5dca4d8783b106b18397e43f1e18c1c291c75bf8c8f15830d920114064dfc898559eaa7bf9

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (orange).ico

Filesize
14KB

MD5
50feaa801c46c05a997b7376af179ac7

SHA1
00813e7d686395ae6675f11b7c8e7998fde61692

SHA256
1d02cf68ad357a73211d3c72393f1421b89f285e0b4be7e0750cf42d50e5aafb

SHA512
72c02291029ada78b536f798441ed8fdf19b0f742e88f41f573fd2c0b6f10aacd5069e4f2786a2b5664d96701a8f6092cb688ebf7f763e98b81414e59b00db67

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (pink).ico

Filesize
14KB

MD5
948b20791df5fa8dd1bdfbb572e46b1a

SHA1
c06c80d4f13c2834beaaee04361f9082508b469b

SHA256
eadd7f6bc42ab2cfb3a9ac73dd263ed5c2834328db84bd9a945c6dda0bab0e12

SHA512
8283fadd4926a28a203e378f081db217ae7c086b30544219620f23422abd3abae53f7e20fe56f7571cfdd3c7a08e924016af960a2ce1d346a3f1eec216117438

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (white).ico

Filesize
14KB

MD5
08976812254b51f953491c5183d19ab6

SHA1
3ff0accdb0b92215a4f7d349aef039f7f14becc0

SHA256
497a717be4b3a4b54bdbbaea54e712a8b457befbf2cc21bc376ec3723d74b048

SHA512
bf7512d7e427f189669196d2d899782f7072f9ac6e7b64613e36e9daee2cdb697983d7fe3839e6d823af36a8d2e16e9595cc9e228625b71bfdabbe08b01eee84

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive (wine).ico

Filesize
14KB

MD5
0dfa91b95cb5eddec024d2c6dd656639

SHA1
86758a7a7d0f7e874003cdd752b8bd8ff0f10033

SHA256
9882ea50eb592bff8f2f08f5842ede89425b864ef37b13d416a93a10db10abc0

SHA512
ba7ebdd84798af92d151c797d2f8c92e6591ecba00317197845c79612bb05d2092fcf689bda1029008a5d13aade48687a8548cc6b0e1bf75c3db528c152658d9

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (black).ico

Filesize
14KB

MD5
70eab98c4ea1b02af844fe3a12c6c1d3

SHA1
6ca617f2d723b915bc82df6110e54912b487dac2

SHA256
e64855729722f3697ced9dc2af05aaaedf99478c3898054fe84e6d0ad1f38665

SHA512
b829dd23cd5f4e457dd6cef91d8627d734cf8a4f4de63392b91d49bd07ec1d7a7efbc819f85eed2f759d351d861f65a729831c4124975c4bd9702ef46bb24bbf

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (gray).ico

Filesize
14KB

MD5
4f8115f59df723e9d29a28fcd9accafa

SHA1
3ea8061b819c4a805f23b1f0ec08ad4037b5d1c9

SHA256
039905be11dcbfe614d5bd174dc6a1d14b8975b76abb62316edf50b10d284036

SHA512
89f69343fac0597b4d7bb4b099a1cc0e3055cbfaffc69d5712b71e1a67a15caf96cd8fffc2acb4e06ab76797c31498e51a5eaca2bdf8026f95a7ed3fbddd4ccc

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (green).ico

Filesize
14KB

MD5
d5ad6199946e25974f83f00ab0e931c0

SHA1
aeba53f6800c6c48126dc8abad6f7a0dee1d6683

SHA256
211584350492c3070cb5b2285dd6db32fec078411ddfc3d6df2d3313059185e1

SHA512
a0da9817dcb36f3bc4442189cc29c98006ea99559a62545afe7c03651cc34cea1e14ad8fb4478a2e4adafca3a36f39f3089d767842176ddb4115657f0d709664

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (light).ico

Filesize
14KB

MD5
ccdf21caab0239b90b7c87b91de799fb

SHA1
ddf6842cd9b6305ba302960cc7dc8c34c74641ba

SHA256
8a2232e49718e8b053dd14c6f9b6513e23b4eb3dff95e42c8cb75e7a26eeb516

SHA512
051458ce112f8eb87a17638c45ea35f031ec1fbe63f6518c294a36c75d30e7a1c9d4383e6b610cc2130596ee7f7e553a0b49b89d0202e0be8a7b6a6ebaf21458

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (pink).ico

Filesize
14KB

MD5
46c40ff6f4bd766e5963d7b7df3e9278

SHA1
a605a3f02b7b18ff2fa010830d9f58732572241d

SHA256
0d09bda4195fb054d80cca03593dbd9d8b4c4fc76f16b534e5b7ce8e4e1955f7

SHA512
32b8f1de58c726dfc8874234dbbf2e03f8e9bf23eafd7f1f2d78f8afe16e91b0145f43995e93286585744c07b0d91508d36bdcbf1cd695908d2a4b740d5b9d0e

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2 (wine).ico

Filesize
14KB

MD5
65e6fdf83bc515b850c92f588f15c9ed

SHA1
2ec71475cc8d28fd38c7d89b707bf0a6ec5ef8ef

SHA256
ff3bb04770f75d0fb0f4b99aebbb11731131dcf28de248f0a401c241f3bfce55

SHA512
eba92d61dd073d0c7c93976a0cf5a0384edfb4cc53fb199535075bb31c737dd34a42932b33fea984fddad93f9530228444add1d9abe93cab03ca6e1bf4b148bf

Download Submit
C:\Program Files (x86)\USB Safely Remove\DeviceImages\Flash drive 2.ico

Filesize
14KB

MD5
0345dc804b3b19669c72e8a823b42ea7

SHA1
8647ac60a81df7cd9faa5b4d1c92c1384c530f33

SHA256
d7dd3cbe4abd807695ab3b659eeec2e3153acaba8ad91ac80936b886d8232b31

SHA512
2e210221beeb362375b642ce96679b7a8576718ba5c43efef5e72fd1af57bbad5b04edb6ab4eea8fb8b7fc287b720b502b164c6bbb543f9e236f3ec2a86c68e8

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\colorscheme.ini

Filesize
3KB

MD5
5d595ed10e9c75906409c2160165595a

SHA1
90d7d4915a2eb1a23c2d62a78b68b9fe4eb852bc

SHA256
bba9c312f40974cffa558b203bb79db54ac2eb9346dc51e543eb2c356ea041f6

SHA512
f0bf78b01081d5cc8f93ab9d2cf559126feba849c1525036498f7d6643f5ba08f5e379b711d60307ff619b99a4f22727618d68b238c86d659e72d319b627ee5a

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\options_active.png

Filesize
547B

MD5
783d2c20a123484108768b38262ac542

SHA1
ec7f37bd12479c3b65738c7bcd41bcea0a707b6c

SHA256
85cd3536e588938bc22ea9c684abbdba30352aee3cc83d047f478fd1d55ccaaf

SHA512
f09e32c9158be09502dcecab71525faf3437af609af43f17b3c85b598e0da0a5cb72cb86687fa2a9c44bdec52a79a9c59242c3246a6403550342bc4c37e40b02

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\options_passive.png

Filesize
541B

MD5
ad62326b17f5c2b80fcb5d3ad5021af6

SHA1
f6ed4cd6e0f7767dc49795023e62fc7b0a83c1a4

SHA256
c57a3138a6fab85bb83e18940da7666c0fb0aa04658d0e8d1ae483b2ac8434bb

SHA512
89b0c83d4a93ea27681fbf4712f47fb09d8b4713a18bd34459bc7e8fccc6550806cc24ab82ee8795751d61220120d4d6f6fa07958d4a06e190b5b2c7ba7ecb2f

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\reg_key_active.png

Filesize
664B

MD5
bdcfeaba23ad4a5ef5151c0f5cb6b778

SHA1
9bd1cccfb28a4037bb310d4d9a2eb7261598a45e

SHA256
0f758e638d4e82a5dd7b9b34cb76b9d997f58dc6b8f6f4a4ff53a820bc65ee81

SHA512
54d87240b366afbc25ad53d55bcbab536f683d73038b510d7d45a9d439cad2d9eee58f77dea6a300917790c708270ed9dd740106f112d5b72faf793c939c32c3

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win10 Light\reg_key_passive.png

Filesize
658B

MD5
383f85d38d5a58dad9088b61885606f0

SHA1
a898a1e142cc65ea2d55bc556e01f01c36890122

SHA256
683ffa5603e0b728e7df0dfe6393ca941195af5ec068f06e1cd334ed04e7bac6

SHA512
4188548130023396b8298529c2474e70af764ccaf9e2ef5ecb315b13cba0ff5cb520d127d692d7746fcbe900e8fb88b7928641d07fee78438a478f21c1e8e5e8

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\browse_drive_active.png

Filesize
813B

MD5
bc40f57acd72978e63afdbabb487f221

SHA1
83b158ed9b30e5e315479ee83cf30e49aa78c8a2

SHA256
f9e597244e788a5aea1873b2bb7cd79437ccddb273a5a054c857966f9e1c16e3

SHA512
ec26a5e03de0542aab2192b51c16ea74f7273f1e5e6406a168c603b3b95108ff20b503aef46f1b67eed42aa899c52ec210daefe5600e6e1f57112d9a5337d615

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\browse_drive_passive.png

Filesize
798B

MD5
99e3b3c9f68638e0b3d5f59014302292

SHA1
18705bcb5a725c132de7116372b4bec4868ee818

SHA256
9403aa71772f7115559b51096319afcb4a9500fcd8ebe4ba8a43e9ccff981d94

SHA512
72bacaef549aeba9bcdb71a7d196214ef4bb1d472656f130b81dfec8e121dd7dfb17f45f4f898794777dfb5fe10b53e129423e6da718beec15df0ad3ec448929

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_balloon_active.png

Filesize
199B

MD5
c520f40ecf70482affc2ff7482a4d338

SHA1
8754a3ad0cfa56d975d891723c4880889290638f

SHA256
2e2506d93eee24232102cf6c36fafa3348b19863abdddffd82556522fd001dc0

SHA512
b19732885b7e2c70a879c924c3c537135736544e121c052ab8fa11d96c9462bc4db4d82c1eef3c57e4237227655eb1bc5ec36fabc9b3baff24b9131975e2b512

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_balloon_passive.png

Filesize
152B

MD5
9447b8b41036f708d18ef687cd0e78c8

SHA1
d09710c7002098ca035a1a0388b3c801c815c601

SHA256
f4edb0d33fc08461668bd021e98e28783250627d44065ba2f2c10d38d21d8947

SHA512
07fe803c6bf03c3825fad65bfdc25553237608b01834326a715b2ebc19e9dc48ebcd757521558c9fab6374c7b640fd9ca28b1deee469f1f325da433039a41a19

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_hidden_device_list_active.png

Filesize
293B

MD5
a6ce654d2b12f561f75c54f2427aca8c

SHA1
e903475510a48476167a0bbbd2518607dedaaf10

SHA256
e7617d22a7d8f43c95f925dceb6f71645c33183dafdfb1eaf2bd304d79777779

SHA512
7473be89f8820acd206b222632b7eb4ed2025c131a93ff56dda51753bb38abde3ca65bef2ea7c09416ad4e727f6b352832ce2add45374141874f1763b245ad38

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_hidden_device_list_passive.png

Filesize
293B

MD5
be5a40eb51bc1f9ce723aa12e16ee3dd

SHA1
2de8d78d054a780314b7ca9053c27eb0d5164346

SHA256
09045774d959787ae0aadf5b80cca47496061c1cfc355b456a864a6819ff6a5b

SHA512
1b7f52a7f40539c531c5523ac434752d45462f113710a9a8560f28f19cf5188441e272adb1b625f546c905a1d56428f294bb3dd28acde0711f68031383e4d615

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_info_active.png

Filesize
337B

MD5
d25b49d02a0edde84e4b74bde62d4c8b

SHA1
03175b65fb583077840a5223acb98fef143489fd

SHA256
9d39b7bdfeae3a35e736a040bdd24f9def62ec6558aaf366835341e00f7e7706

SHA512
e945889ba6f983042e799ce2da0fc5b7a7667ac7e4cc810f0f100e2211cfa60a53eb13b299d361339d6b9f0863c495f546b2816d8f3c814b3521f08dd629ffdf

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_info_passive.png

Filesize
338B

MD5
47a2009248f85d16fc54e735d470f5db

SHA1
865be2621de819d6c993eebf5183f7b216bc15fe

SHA256
7d20ef80337213d001b9d285278ecf4c4cad7f8b7d57bbfe5570b837d4793a08

SHA512
556fcd9784921df9ffa6e0af8b41566baa0ae4b53f020c743e17bae69c1a7a761c493f8cf25613890602981bb7d57ec4629c00e602c8a4e878784fe2c8c2bd8f

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_menu_active.png

Filesize
432B

MD5
e8af0ee2c8ef06bea332fe1295542212

SHA1
f5b62602b28e85d11527a522ab3866e485e02e72

SHA256
03a863513d12d7e3fe88f262e3003bfa8b68b2649848dcb6d42c588c2f7c4d71

SHA512
716e65c2a3bc7d44655f6ec6b3c99886a75fd433a8c67dcd79de7a0736d6eeb4f0fbbd67868e203c5635fcde7e447c871ca3fa14b2169b500b0220958160e30e

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\close_menu_passive.png

Filesize
420B

MD5
d7ec502cce72c048d1da01b5ee996e35

SHA1
eaf1455b0e1de495721ba38814d23d813b48cf1f

SHA256
e13b592ac3ab1f17bd565a85686f7dc61a39e403f185953cad9da87edb0a83e3

SHA512
dd5ee11495ac58e738e420aefecf67eb1ae5cca7bd4761dfc8c6f54323db98914f0d295d93b8738034534f1241a8edb6d945217fa80948d927518aff25cbc2de

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\drive.png

Filesize
281B

MD5
752b7415b2c1ff6e3a3f51530a116fa4

SHA1
f0fc265e112fcf31344de6f89a9db3c9189b3a44

SHA256
d4bd68b19fb81435c402284555a78494e85ea631fb7e2748c7baae3d4a4773ac

SHA512
c6595b751583dbff743a8bbd743878dd820b4e64c064c076477bd06b421c2057b74a7c59daabad8cfb4c617738d9cc3da6d79ce5b351cf525e0d2889167c95b5

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\eject_drive_active.png

Filesize
563B

MD5
de94905af36d5d2484f3f10e7e98e552

SHA1
80a939fd1f0680b52e4283bd81b21aeadd0107eb

SHA256
4e5be26467dfdf10ec4be770162aab6bfd007c910118d014c05a9f5b066f2bcf

SHA512
e43436d5cdbd4bffc501e3cd36bf958565c1ada23904b2d4d2500910d738bcefacc7aa1aaec0e0c08aed4b2a29681cae1f1a5a480ba725d82c6f911ccdce7373

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\eject_drive_passive.png

Filesize
561B

MD5
dc0160cd721d69659d0be7983ca56996

SHA1
8da54e1052f0bb170482a20a2d4357aef4e5346e

SHA256
e33d56ede1342e7ec167cbb668ae525d7e35572542d26a1fca519ee32a614c06

SHA512
ccf3699d49ad6a7b54d60d62703b8f002d78d76f39095169f6a9417ede691166adccebe6ee0457d3fd09033a2d95ca6bd78091bc05d15e456e0a083d671ddd2d

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\fixed_letter_sign.png

Filesize
245B

MD5
dfd69e4f322f21a167b1c2ac37ccafee

SHA1
dcd20fe38934fe661df31d7254e1b6cb1e092e4e

SHA256
87d41fa7555f6302ca353bc0132d5d1fe003cfd1d4348818809aeb4623511f58

SHA512
33968034d2c463669e25db73eb73495e843adc73fb8f25a05d790f683324a53314472c571236e280b449b7b602cc7334751be0167281917b34b2cde931e3a0c6

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\hot_key.png

Filesize
210B

MD5
23cb4fa7684ebd9f091ce14ee4aec414

SHA1
03e20bff36591021d2868c39785373338cb3343f

SHA256
5d5ede3b062e97cbfb8c748b57aa6a97a925fd2b7512b96899a2296199bb59be

SHA512
48dc89e8028467e41abbefd7eaf40dc439d6ed6daa694b2fe92e3288e4f039b48f054b6243b5864b4cde3eaf52360202b135f43eddc542c4f7e698d48ec7223f

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\open_hidden_device_list_active.png

Filesize
277B

MD5
479c2f0cc00c8971f9cd61af6cefdd06

SHA1
286d822cb4174e1598f6598d5e54d6f7ea4d9bba

SHA256
efc63591175698ab7b424fc2931ac944dcbfd96d4af9f783a46b5dd77a5e9c40

SHA512
a5b3c6883516242bfc8b8786c2c1a5506b177d88edc97dcfbe125ebc03811755f14392c336b99f48c9d4d1fb35f6279140e95844f577bfcea1986b31d2b00c51

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\open_hidden_device_list_passive.png

Filesize
277B

MD5
605cb066edfef9d733f43b91c3434a1a

SHA1
3f2dcfb98f7796ee8b0c98286197a6466441f761

SHA256
ac4e969d5790f4dec411c6f7d15e7b597007ae4dbeef1b7a79ff8b7ad26726de

SHA512
e09ea5b3b5b2f5c47b0eae4c3405cfea27f1babf300bae434336b8bd6e61e9d488ec433792b1d3ee8cfab8c070b49a140c5e77cfd8a59e65357ff1f380ad4b3f

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\return_drive_active.png

Filesize
484B

MD5
e480bcde952da291c51b9c34c186a24e

SHA1
02d6f5c5638ab5ff7c6d3b1baeae6324e79da06d

SHA256
13473eb56552d81e1c6c8853140ca5a6c1c6e6e43ca8af722dbadc0d3bb05e91

SHA512
e4e50e76c145d3761af9c3b381424081a52b8e30fa90a94645358a65e2b78b6135358e1255db6dc0c561aa11d496696d40179a5ebca0146f2d4602a4fe4f3342

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\return_drive_passive.png

Filesize
482B

MD5
2944091a36a3acf9995fd9938c41854f

SHA1
2220b85cffba5dfeb5c9761d27064f98fb657c82

SHA256
5bec7005d65e76564b1abbfe3a224504d40337cf908f73dbcd6c88afed16b07d

SHA512
81e96fbc40acb49ecd33bd8c9aa9e871c0345c2e44bb008ca7bbeb6af3ad16daf92760f2afc6e98070ef57f1de8f06c2dc1c7318d20604cefdd457e00bffab2f

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\stop_all_active.png

Filesize
397B

MD5
479a8b7b280bc0bef2fd818d100beb40

SHA1
61b2752a80fbc659b5c934bcfa430a53b8e0d3fe

SHA256
a78cea4bfb81a3f3c18e6718f5df31820288789f75398aecf8f044863bfb07e7

SHA512
773b41df7a36fbe1c731ee29352561e43cdd27f9ac391cb82e96ae6b5a12d30b114794788295404e288f7d1d5c9103f436c876231e43536ca0b7104a09771b24

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\stop_all_interrupt_active.png

Filesize
404B

MD5
81a04297d1cb71502fcd43674e9d4df9

SHA1
d80d35dae1c99e908889f90551eff1ad98c8170e

SHA256
fbb413f2a787b6a55fc4f950dde1b08ab013f0ef2d8afd1c99bfcbe61ff44c29

SHA512
35d937f5f608591210840cfe04e8b4770d9e02179fa5cb1e2e8893f1fc19c9e81a05320737d6a3e67b47d35dc9c6f6e571531467ef3bdef669738b78b8de3a31

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\stop_all_interrupt_passive.png

Filesize
404B

MD5
48d69533e6adb2dd910745b0445c5131

SHA1
6abab35c9484d6cff5754d2ebee26fcd237f89b6

SHA256
8c789bb8e2003db1a0782c8f67cfdf5eec48d7e3fd2502c12b0f9ea6fdb7414f

SHA512
5f13dc84d4862d68bbf77b5a87175dce6d9467fba27364315a5f52d2344bcab618f5ecb95d40400b42cc5aa03486ad37eeeb7b4851f239e5c1a874a39c9e3fa8

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\stop_all_passive.png

Filesize
396B

MD5
f2e2493d956d66c7a55a16c74090d7e8

SHA1
5f06aa88457fee102c2d5bba350b32477f50f213

SHA256
a279b0a0c65f515d12a67b96f748b2e525444410284918f19df3bf765f09ac76

SHA512
7c3a57d9267b9dfa6309faa35b9cf8275552f2b13f5b9bdcc9e04b90656de2f82866cf5bbdcf88bea1347a4de6a955277021f6559f9725517410751b402fd4d7

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\update_hardware_active.png

Filesize
432B

MD5
af024f63e569a2e2829de9db22b534ef

SHA1
1bbd4b0b4226baa3827faa1f495e847dd52a527c

SHA256
1a21731c792fb40ef8156027bf0814721f69874d31606261161640d157ba4956

SHA512
2b7a03d71a635bbd071b21f9c39dc3fc4049adf40fa42f26788c6084bf33c6a352d11a130ae8b4cb112b9f255ce443465601cd3fac52d7ac08cb260c90d399a7

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\update_hardware_passive.png

Filesize
431B

MD5
c2661f9d0441468c6712a681b1dd20da

SHA1
e8282572089ddfd429c34f45ed8ac1d824862bdf

SHA256
712a3e7b9a1ed7f2bd291c48ef81d86682b1cd02660397c36ef7ec98efc1efec

SHA512
5e341f157d481e59af4a8fb48ef8f9425ca36b812acc8b94eb131c8e22fa60b7dfabb4474892ec71b5080aa38b269e9c5d89336db59831a71e04639104f2270c

Download Submit
C:\Program Files (x86)\USB Safely Remove\Skins\Win8ModernUI\warning_letter_sign.png

Filesize
214B

MD5
6e15151a9fc357dc002af1497a4758bf

SHA1
b96c90511bb41bd224f1382f41d95ea45aaa7359

SHA256
1e9cda0789fcbd982ffbad717051dec0f607c7e4f3f557d7e9feccc4c0e2bad7

SHA512
83e6c144ff7904602db0b5735528a8f563de97802b067da32c329afc29814f4e17178fb01717d8e7a11d206a576d19ef817b60f1c96c5d4b458764d5544b08c7

Download Submit
C:\Program Files (x86)\USB Safely Remove\USBSRService.exe

Filesize
1.3MB

MD5
2b3b8334a4dc877cd47c7c707e62c549

SHA1
2db740c86552fa87741bc29822a3c53271d58678

SHA256
79a82e6d16175d903d91f2f14608a9408253ed683464e227b5e9f3fa26eea7f0

SHA512
658252fed46d77e60e2a8745f71c005c013934f076d81958582bd3397c64be952004ae74edd866665dbbee2b239c9922d9996f5288426867c4590977885d9703

Download Submit
C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe

Filesize
6.3MB

MD5
2b2a927133ac67371281e1f51793bc4e

SHA1
a1a6b0cb59f4a5621774ebf6e899575127d394ef

SHA256
a5ba661d89492b11b8c9a8b6a0022da3f03943037b4a982aef736a9bed428a48

SHA512
663a8533e277c365d44611b35d23d152c386e1d6cf4f3d9da6d944c300bebff3973beffa07cf7320387d7c9b3721993c23793437006c555a91f387e47588c65e

Download Submit
C:\ProgramData\USBSRService\USBSRService.log.txt

Filesize
1KB

MD5
c4a593310cbae26218261d4d0c3d01ff

SHA1
3f7c4923b5580d81941c3c99aae961ad3c2789f2

SHA256
3983f044247be5f3ca671cb330fb3dc527ec50b2a63a576db7e6a3cf096b3494

SHA512
6eb2c205f2af2bde9517200bf81e93edf871a559954d5451c8a67bf1bfe883f127c48ae56b7fcb8c4bfac9ca87203dd24e7ff5649c5b211384fa2121b9c4f8e5

Download Submit
C:\ProgramData\USBSRService\USBSRService.log.txt

Filesize
1KB

MD5
0f336351bbc1855a216c359dcd45bb9a

SHA1
ee0495c4cfe8fc3d85376d93c07ff97352a85519

SHA256
dff63350f43d3ba7726201adb0f2a5aae6a6433eced2608fb9a331905c4d40ab

SHA512
2394e7ace08c25add4e1dd7f855151582fe20b7db6d0ad092ced3fee1b8805b81de71b27233694332a64ca50845b4d17e7b35713a2d420f732f494c1e2b66573

Download Submit
C:\ProgramData\USBSRService\USBSRService.log.txt

Filesize
2KB

MD5
1ad3ec20f05ef12f546ab726d2b9d1ad

SHA1
c365fc27800d2cd4c8355601ff91b7e51446d7b8

SHA256
0759448f01cdbc5c4351f41000ae474fe8e5fa0c4f00dc4152146ab23fc4f401

SHA512
5d3974e32c2abfdbeb85520b9481ec951be96157baea22dec7cb0255643a2c2bc8d5980293de1477e52669076bb004867d44714e8010ec907542db5cbeb101c2

Download Submit
C:\ProgramData\USBSRService\USBSRService.log.txt

Filesize
3KB

MD5
c1439f2636418d22266ee56241baf28f

SHA1
d480a8b3a22132f75a4a194c2037c1d8ebea68d0

SHA256
adafb18d7ff103959a0092fc32bcfae254781e57e73ca5b528b0d26cb6f73fb7

SHA512
6d03fb9e3876e84f73b6ebacafc0a60ed74b9b3d8213e24c3ec681ff0ab4114eed50368402fd3439ba8b390380eeb382ee1b7b8c09c5c040e55e775edb85750d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ON47O.tmp\usbsafelyremovesetup_7-0-5.tmp

Filesize
1.2MB

MD5
ad51a2fa0d4e495c95fa4d9be19418b0

SHA1
4cb1cea0520bcab777464edf9ff4ad30d144c82e

SHA256
b22f23cd7ffb5e8d9d2430d837c7a00ea09d6fbd8604c9938c13fc535862cfb4

SHA512
abfc97293c1762c2081153bdd0cde640936df841d033e1badf7999fb2bd694778990a6f648451defcc61d8a7bab5efeee48f6d328dfb695990c70fb57232e8dd

Download Submit
memory/1068-685-0x0000000000400000-0x0000000000A74000-memory.dmp

Filesize
6.5MB

Download
memory/1436-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1436-657-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1436-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1436-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2284-564-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3460-16-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-6-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-10-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-656-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-12-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3460-499-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3876-666-0x0000000000400000-0x0000000000A74000-memory.dmp

Filesize
6.5MB

Download
memory/4068-680-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads