6997d3ef9707fd9b38ca14ae785c5eff641a909d29a1777fe9d18df8ae2dcb7a

Resubmissions

09-08-2024 07:51

240809-jp7zjayajn 10

09-08-2024 07:46

240809-jl755asalb 7

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS Office_12.1.1.exe
Size

350.9MB
MD5

18ffc2a9a2e45db4188a8ec632e8ac9b
SHA1

57998f5f51796f2e225abd50bc6c94c8023649de
SHA256

6997d3ef9707fd9b38ca14ae785c5eff641a909d29a1777fe9d18df8ae2dcb7a
SHA512

de2b83eb8599bc45c911fce457cb38b9049b3077c05290530649f58d413c699a1e51f2cdc17f4da9b6ae4d3b30cf7b15d8716de6b5dce2af6a7ef6fa5159e11b
SSDEEP

6291456:y43ehrvHTVOE1n6nSXfhO2d8nPkWvGmGeSIgAaeavINP8pIDzC97TJ42Vh1ovNET:+hrvHTV56ahO2d8nPpemeXv+UqC9fJ4a

Score

10^/10

discovery evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WPS Office_12.1.1.exe

Executes dropped EXE 4 IoCs

pid	Process
3188	16a9484afbf27fbeSNP.exe
2272	16a9484afbf27fbeSNP.exe
4824	16a9484afbf27fbeSNP.exe
960	Bor32-update-flase.exe

Loads dropped DLL 42 IoCs

pid	Process
2248	WPS Office_12.1.1.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
4928	MsiExec.exe
3188	16a9484afbf27fbeSNP.exe
2272	16a9484afbf27fbeSNP.exe
4824	16a9484afbf27fbeSNP.exe
404	MsiExec.exe
404	MsiExec.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe
960	Bor32-update-flase.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/960-1040-0x0000000010000000-0x0000000010021000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	WPS Office_12.1.1.exe
File opened (read-only)	\??\V:	WPS Office_12.1.1.exe
File opened (read-only)	\??\P:	WPS Office_12.1.1.exe
File opened (read-only)	\??\O:	WPS Office_12.1.1.exe
File opened (read-only)	\??\R:	WPS Office_12.1.1.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	WPS Office_12.1.1.exe
File opened (read-only)	\??\H:	WPS Office_12.1.1.exe
File opened (read-only)	\??\U:	WPS Office_12.1.1.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	WPS Office_12.1.1.exe
File opened (read-only)	\??\U:	WPS Office_12.1.1.exe
File opened (read-only)	\??\P:	WPS Office_12.1.1.exe
File opened (read-only)	\??\T:	WPS Office_12.1.1.exe
File opened (read-only)	\??\X:	WPS Office_12.1.1.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	WPS Office_12.1.1.exe
File opened (read-only)	\??\H:	WPS Office_12.1.1.exe
File opened (read-only)	\??\K:	WPS Office_12.1.1.exe
File opened (read-only)	\??\W:	WPS Office_12.1.1.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	WPS Office_12.1.1.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	WPS Office_12.1.1.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	WPS Office_12.1.1.exe
File opened (read-only)	\??\B:	WPS Office_12.1.1.exe
File opened (read-only)	\??\S:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	WPS Office_12.1.1.exe
File opened (read-only)	\??\E:	WPS Office_12.1.1.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	WPS Office_12.1.1.exe
File opened (read-only)	\??\L:	WPS Office_12.1.1.exe
File opened (read-only)	\??\W:	WPS Office_12.1.1.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	WPS Office_12.1.1.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	WPS Office_12.1.1.exe
File opened (read-only)	\??\O:	WPS Office_12.1.1.exe
File opened (read-only)	\??\S:	WPS Office_12.1.1.exe
File opened (read-only)	\??\A:	WPS Office_12.1.1.exe
File opened (read-only)	\??\G:	WPS Office_12.1.1.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Z:	WPS Office_12.1.1.exe
File opened (read-only)	\??\N:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Y:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Q:	WPS Office_12.1.1.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	WPS Office_12.1.1.exe
File opened (read-only)	\??\L:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	WPS Office_12.1.1.exe
File opened (read-only)	\??\Z:	WPS Office_12.1.1.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CleanSoftEngSpeedupOpt.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CleanUtils.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\fixsc.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\jcloudscan.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\BaseExamine.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CrashReport.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\postproc-55.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AdHelper.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ChkDrvErr.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CleanPackageEng.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\fixsc64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\16a9484afbf27fbeSNP.exe	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\7zWrapper.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\HotfixCommon64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\iNetSafe.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\7z.dll	MsiExec.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AntiRK.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\appd.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AsyncWorkFlow.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\disproc.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\DSFScan.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\icuuc72.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ieplus.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\hipslog.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\16a9484afbf27fbeSNP.exe	MsiExec.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CheckAutorun2.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CQhCltHttpW.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\imhelper.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\EfiProc.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\HackPatch.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\libheif.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CloudEngine.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CombineExt.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ExplorerExt.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\FileDef.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\b7bf77271045.QJU	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\7zz.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\bfsandreg64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\BrowserFix.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_info.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AppcenterData.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AVEngine.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\download.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\icuin72.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_backup.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\CleanSoftEng.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\DsArk.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\EPSVHRule.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\Gme.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\cloudcom2.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ComputerZS1.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AVEI.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\common_ver.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\cqhclthttpw64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\drvutility.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\AntiTrack64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ExtBhoIEToSe.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_813.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_app.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\ieplus64.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\QKFJSGCGWGRQ	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\avescan.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\GmeApi.dll	WPS Office_12.1.1.exe
File created	C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_datamgr.dll	WPS Office_12.1.1.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI38EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI395E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4160.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e583757.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4102.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{11211529-97EE-4459-ADE7-60B67B3EFC20}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4682.tmp	msiexec.exe
File created	C:\Windows\Installer\e583757.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3862.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI397E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16a9484afbf27fbeSNP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bor32-update-flase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS Office_12.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS Office_12.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16a9484afbf27fbeSNP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16a9484afbf27fbeSNP.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
404	MsiExec.exe
1048	msiexec.exe
1048	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeCreateTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	2248	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	2248	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	2248	WPS Office_12.1.1.exe
Token: SeTcbPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSecurityPrivilege	2248	WPS Office_12.1.1.exe
Token: SeTakeOwnershipPrivilege	2248	WPS Office_12.1.1.exe
Token: SeLoadDriverPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemProfilePrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemtimePrivilege	2248	WPS Office_12.1.1.exe
Token: SeProfSingleProcessPrivilege	2248	WPS Office_12.1.1.exe
Token: SeIncBasePriorityPrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreatePagefilePrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreatePermanentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeBackupPrivilege	2248	WPS Office_12.1.1.exe
Token: SeRestorePrivilege	2248	WPS Office_12.1.1.exe
Token: SeShutdownPrivilege	2248	WPS Office_12.1.1.exe
Token: SeDebugPrivilege	2248	WPS Office_12.1.1.exe
Token: SeAuditPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemEnvironmentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeChangeNotifyPrivilege	2248	WPS Office_12.1.1.exe
Token: SeRemoteShutdownPrivilege	2248	WPS Office_12.1.1.exe
Token: SeUndockPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSyncAgentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeEnableDelegationPrivilege	2248	WPS Office_12.1.1.exe
Token: SeManageVolumePrivilege	2248	WPS Office_12.1.1.exe
Token: SeImpersonatePrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreateGlobalPrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreateTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	2248	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	2248	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	2248	WPS Office_12.1.1.exe
Token: SeTcbPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSecurityPrivilege	2248	WPS Office_12.1.1.exe
Token: SeTakeOwnershipPrivilege	2248	WPS Office_12.1.1.exe
Token: SeLoadDriverPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemProfilePrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemtimePrivilege	2248	WPS Office_12.1.1.exe
Token: SeProfSingleProcessPrivilege	2248	WPS Office_12.1.1.exe
Token: SeIncBasePriorityPrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreatePagefilePrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreatePermanentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeBackupPrivilege	2248	WPS Office_12.1.1.exe
Token: SeRestorePrivilege	2248	WPS Office_12.1.1.exe
Token: SeShutdownPrivilege	2248	WPS Office_12.1.1.exe
Token: SeDebugPrivilege	2248	WPS Office_12.1.1.exe
Token: SeAuditPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSystemEnvironmentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeChangeNotifyPrivilege	2248	WPS Office_12.1.1.exe
Token: SeRemoteShutdownPrivilege	2248	WPS Office_12.1.1.exe
Token: SeUndockPrivilege	2248	WPS Office_12.1.1.exe
Token: SeSyncAgentPrivilege	2248	WPS Office_12.1.1.exe
Token: SeEnableDelegationPrivilege	2248	WPS Office_12.1.1.exe
Token: SeManageVolumePrivilege	2248	WPS Office_12.1.1.exe
Token: SeImpersonatePrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreateGlobalPrivilege	2248	WPS Office_12.1.1.exe
Token: SeCreateTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeAssignPrimaryTokenPrivilege	2248	WPS Office_12.1.1.exe
Token: SeLockMemoryPrivilege	2248	WPS Office_12.1.1.exe
Token: SeIncreaseQuotaPrivilege	2248	WPS Office_12.1.1.exe
Token: SeMachineAccountPrivilege	2248	WPS Office_12.1.1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2248	WPS Office_12.1.1.exe
2248	WPS Office_12.1.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4928	MsiExec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 404	1048	msiexec.exe	90
PID 1048 wrote to memory of 404	1048	msiexec.exe	90
PID 1048 wrote to memory of 404	1048	msiexec.exe	90
PID 2248 wrote to memory of 3452	2248	WPS Office_12.1.1.exe	93
PID 2248 wrote to memory of 3452	2248	WPS Office_12.1.1.exe	93
PID 2248 wrote to memory of 3452	2248	WPS Office_12.1.1.exe	93
PID 1048 wrote to memory of 3576	1048	msiexec.exe	97
PID 1048 wrote to memory of 3576	1048	msiexec.exe	97
PID 1048 wrote to memory of 4928	1048	msiexec.exe	99
PID 1048 wrote to memory of 4928	1048	msiexec.exe	99
PID 1048 wrote to memory of 4928	1048	msiexec.exe	99
PID 4928 wrote to memory of 3188	4928	MsiExec.exe	100
PID 4928 wrote to memory of 3188	4928	MsiExec.exe	100
PID 4928 wrote to memory of 3188	4928	MsiExec.exe	100
PID 4928 wrote to memory of 2272	4928	MsiExec.exe	103
PID 4928 wrote to memory of 2272	4928	MsiExec.exe	103
PID 4928 wrote to memory of 2272	4928	MsiExec.exe	103
PID 4928 wrote to memory of 4824	4928	MsiExec.exe	105
PID 4928 wrote to memory of 4824	4928	MsiExec.exe	105
PID 4928 wrote to memory of 4824	4928	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\WPS Office_12.1.1.exe" /i "C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\Clofficewx.msi" AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\XlLUOMJXARKC" SECONDSEQUENCE="1" CLIENTPROCESSID="2248" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8F1B7C5B7121C7D35138CD05DBFEAA72 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 584DB6B4256C460D2DFBB0A42972F7F0
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Program Files (x86)\16a9484afbf27fbeSNP.exe
    "C:\Program Files (x86)\16a9484afbf27fbeSNP.exe" x C:\Users\Default\Desktop\XlLUOMJXARKC\b7bf77271045.QJU -o"C:\Users\Admin\AppData\Roaming\0988e0f8e08fae8aKHO" -p65069af6e8c5ea64ISP -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Program Files (x86)\16a9484afbf27fbeSNP.exe
    "C:\Program Files (x86)\16a9484afbf27fbeSNP.exe" x C:\Users\Default\Desktop\XlLUOMJXARKC\6be361efdbdf.GUK -oC:\Users\Default\Desktop\XlLUOMJXARKC\ -p871529d1f64dcca0XWU -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Program Files (x86)\16a9484afbf27fbeSNP.exe
    "C:\Program Files (x86)\16a9484afbf27fbeSNP.exe" x C:\Users\Default\Desktop\XlLUOMJXARKC\0628aa0174ec.TGL -oC:\Users\Admin\AppData\Roaming\ -p709581aa8e708016UUL -aos
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1328

C:\Users\Default\Desktop\XlLUOMJXARKC\yybob\Bor32-update-flase.exe
"C:\Users\Default\Desktop\XlLUOMJXARKC\yybob\Bor32-update-flase.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583758.rbs

Filesize
45KB

MD5
8c2e6b24afa40373b2920d9160dda64d

SHA1
79c1327957b8b56ff7820f81076019f5383b5790

SHA256
9872dec8a9532b03272237b6dca94e5a6256cb257570519f345a3132e606fac4

SHA512
2278cc95049524b977f0518fa7dc82f160ad15edc3aa4c249ee7b211ce3f081919d2869368cd96060d158ad5a70945deda824664c7cd9e3b8a05b0533e4d14ef

Download Submit
C:\Program Files (x86)\16a9484afbf27fbeSNP.exe

Filesize
694KB

MD5
fae7d0a530279838c8a5731b086a081b

SHA1
6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b

SHA256
eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439

SHA512
e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

Download Submit
C:\Program Files (x86)\7z.dll

Filesize
1.1MB

MD5
13bdd886a73d66d13315772e8544206a

SHA1
215fb28efab52e697010f6224d1978a20c936d2c

SHA256
909f30b843a07254400c474e3bae2c4ca65631608cf34bd64c49a5379925e54f

SHA512
01c2fd704b52c640ef3e30785fd770f548666dab0bb4de51a6373062dc5f8865d751db2bb21c47d73b9c15db3e46d90dab036e6f5621f74515e4a86a1f8cccb2

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\360QuarantPlugin.dll

Filesize
279KB

MD5
3e6ba580ea59f33f16724aa039e5f5aa

SHA1
fbc18e5afe4009b6e95ddea59210e68e31f86d02

SHA256
771d938695b626cfb2d172df04077f758cad1be34e0f74ad17585e1c976936ec

SHA512
790397bf811985f428b9226381e32082be25c07b56105a535c1a90a3e6b075b479ca0d20ddd0b25325d4455684e8f0b5a7c605586eae161592b99a00d49ce793

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\Clofficewx.msi

Filesize
4.2MB

MD5
ab81df6e4ec8d98854795949ef2285f5

SHA1
95cb732eff3d856a1f5e21c34bce071cd9821271

SHA256
3dff594d2d634646ed21d2bdf3546eb02ffd9057c1891aebf6a4871f42f05b2a

SHA512
420ab89019f8fb98725734d1eb0ef0e397a7879b50a81429d3d1da8fbdb5e204eaf711e4532f6dd5bd0ed36741cd397512a53a078b0fa423334881a7fe09d857

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\WHelp.dll

Filesize
911KB

MD5
551911bad0a9d419f80292bb8ba32aa2

SHA1
311333365cdac09bda7c634d635c95ee3b16ff28

SHA256
16f6fe58ef9ecc4dcb26315bdaa93d48eac8d86cf7c2701ee233ce6caa251e12

SHA512
250d6c4d72c985879e553aa752b13bb7eff056e1bd29590e0144303d1b026f1247ce71e7392cb111e56a43c5d7fe20e2129d2cf99715d4df5f5c585410c34d36

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\icuin72.dll

Filesize
3.1MB

MD5
aaf3d52bf399bd1ec2409de24c2d319e

SHA1
913fc611a33e4dc452673fa88b275b11d4aec877

SHA256
999917df669090282bf019b8f7bdf95da8b733863b650362420b46f8c370026b

SHA512
b313db9696f14dfd3e78192cb68f264263135330e61fb59c952c5f05d8254d4105a068312a2fedfa30ad4b4f55f621cb79e9f575f7278d0ff641376944bc4640

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\icuuc72.dll

Filesize
2.1MB

MD5
690877952c121bb87842ae882281f0bb

SHA1
1e58da5c22f08bc42139688c8537933488c6cb58

SHA256
d75b72d499cdce24a7e19a35f1bed2ef3673f5217fda4aa66c4e942eded83b31

SHA512
db6b13e507a9b93c76eec03f15e43ae9857eb510967d8bcec8b55c371d951da36dfb09dde32ac6f04bbf2d79fd8687237b05c2586ada7cdc815ce49f092741bb

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_813.dll

Filesize
141KB

MD5
33db888ebf423e1cda1423a166796950

SHA1
ad63cde23cd7b9f0242145b774997388f8c6d1c2

SHA256
bf54dca862d58d61c0fb2c6c3c2917c1c25c2ee9efd4447f540f930b85a7f653

SHA512
dbc4f07a868fc346b1701cc7c05bdae4a801ae214c43baea77c4d54baab453fc7c30986733d324d5ae148ece78d95b7b46dc4ea7e0e2bd708342deec8f871a91

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_aia.dll

Filesize
122KB

MD5
1509abab19b032eba2d82bc45ccf0df6

SHA1
833134f25f5f52c8600ff2a947f78064ce0a43d0

SHA256
0e9a138e1348f4803617a8d8a06702b63d651412e30a72e1e4c2717e63b3ca02

SHA512
a839dc3fc9aba45649ff943e4f113088b6da4876fa04efa93ade407c09e1d8663af0594ca1e0ec9e3613ede5bf4066c69c8a40da5e240f2dc6f31f67588ef961

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_app.dll

Filesize
142KB

MD5
05176d41921c39c842d342dce1ee2458

SHA1
476e8949574ed73e17c9f58738102ac5a8cb0f97

SHA256
b2c1a0185d8de1030c671b2ad952777621be94b1868f3b6ae82c184cf045e928

SHA512
719eddd1f2d87544e502286de19e65314a204e353b7e42d0d3456928d0316dae386e6fbee0917a0ccb2b60e9ea9ff6746a7a3ec4e96d3ef7aa54c8a5075e7860

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_backup.dll

Filesize
157KB

MD5
dc3ebdbf2fca55889a1201c8ad116a56

SHA1
16b5d6bb2838abaee650d1048b5d86a8762359d9

SHA256
46c496a38a7a7ab91ccf8d1797fcd36cddc0ff5663c77a4f74bb6b6c53e08cd5

SHA512
0cdd227fc86ecba3c5250f3f61590c67a4786616b13aee948fcac6cacb94c0c2d7fad97bcdaae4bdd8d9461684589c99e77bb181e2b1f63555c355702ce0622a

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_datamgr.dll

Filesize
124KB

MD5
d7cf59c02c56400f84240323e9aecce0

SHA1
06c828a81503b1e5f1892449f2c93db74ec9ebf9

SHA256
3c40a517d36478a44e63dfc813bb61eab4f28a53c641c457ebb870b295414718

SHA512
cd083d805e1243053c0439618a32b73ccbb72e2134ff40410619cbcdbb750234c17484c9be14474e5bb11eee6b534920911661733f35ba68066ed3ac554a39a0

Download Submit
C:\Program Files (x86)\WindowsInstallerBF\B3EFC20\idm_info.dll

Filesize
190KB

MD5
1d9ffc3240114d7f7e0a4c4d664d192a

SHA1
b0f17323fd36b7746c963529dd440450478d773e

SHA256
32b3b2cd1d88b7a76558ca22e2c0580851c83776812c6e92658cea96abed2301

SHA512
d499025041e7b327085708aa28764528b52b5d096b7ab0828399ee632ac21a370594bf61e7e26cf314b247c32db245f4025699c73ff8e0c5b007859e4a99000e

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66275e1c20a59ade4c1ab234\1.0.1\tracking.ini

Filesize
85B

MD5
4afd220b84dff9dd0b8ce0ac0c1ff05e

SHA1
57ea79356cee41bb2ab0b3b918a91a49670c871e

SHA256
e10ce9545ecdc7bb73c5f2990c98f186382938b6caa936df5a9c191a07e9d620

SHA512
22ea003c83498f7de5f917252a3f572e1beae97e6df53316d53064985aa899ab248566869536a3ac47e967339299a0c02e1cdaded9f0a7dfb5b798efc2953e8a

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66275e1c20a59ade4c1ab234\1.0.1\{DB88EAB6-56A0-41C0-8407-4FD5F7A9B561}.session

Filesize
25KB

MD5
a37da77513a43aee8c26ac616242112b

SHA1
7dc62fe5e1b6621f6fe91d37b8830dc8fb496635

SHA256
df9b7f79e3e6b44b55199d3ed2a28d2adf6f89cf268a56c98934425b41ad641d

SHA512
d3d465ad7d09c914472edb6dabc916509518045f29e175cf21bedede08eb87cc1eed2060e4cd31928382fa7d45fd3db47c8c813cb278536cdc27ca5c01c16485

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66275e1c20a59ade4c1ab234\1.0.1\{DB88EAB6-56A0-41C0-8407-4FD5F7A9B561}.session

Filesize
35KB

MD5
f9e958fadc064cb74aa4893be40268cb

SHA1
c000b66f3a129fa933debe5c12709b680f8a1e76

SHA256
5052d56f477606d9cf33893fba1fa80543d5c9c67d9ea4892a459f17383c22de

SHA512
753f055fe7f96ff8e0772937f4d81ce92e791c7a0775bfa9bd95c49994319078b5570b5934aa3655dfc3913aa8116a7a560906456394c5b2f3ab4b437c98d854

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_left.bmp

Filesize
92B

MD5
0edd17e9905d463ce23fbae64563c8da

SHA1
2c26d30e1b7a5761f5048d9494349cafe40979d9

SHA256
237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467

SHA512
fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_left_inactive.bmp

Filesize
92B

MD5
1b38ef93df0c5d4c6c2a10ca0115a28d

SHA1
17fa1779a66696f9ee1406da73133745eb4429dd

SHA256
4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d

SHA512
1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_mid.bmp

Filesize
68B

MD5
445b2b911b105ced9b1a3a5caaa594dd

SHA1
c326010a040a6d19837360907745a7a05982254f

SHA256
ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63

SHA512
1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_mid_inactive.bmp

Filesize
68B

MD5
7610648b8e31404e1621a7a5b510b86d

SHA1
d51d517a8472bfe40c469afa8869385d5a0e9783

SHA256
48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3

SHA512
24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_right.bmp

Filesize
92B

MD5
c288357164d52b2cfd695c792074323b

SHA1
c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3

SHA256
709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674

SHA512
8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_bottom_right_inactive.bmp

Filesize
92B

MD5
2c84c848bbcd7bd57579d3431e8a363a

SHA1
5dc73f68798e73318d03979810bc00a4e94956d9

SHA256
f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3

SHA512
5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_caption.bmp

Filesize
144B

MD5
a8a4420fbe5dbe8fff5a4457fbdc0923

SHA1
4475046bf4a5b7af62099521d2a28df47eb14fc8

SHA256
4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582

SHA512
dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_caption_inactive.bmp

Filesize
144B

MD5
3d8494dd57ae17b57726e6530fc60237

SHA1
09b19ee5fc72b2a07452ed242983c464e2ed5eb0

SHA256
196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c

SHA512
3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_left.bmp

Filesize
68B

MD5
78e5adef0e9078c2a76ddea85c1c4dc4

SHA1
8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18

SHA256
84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe

SHA512
a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_left_inactive.bmp

Filesize
68B

MD5
39cbd0b2cf89509c50ee74963f89f70d

SHA1
777755cb3e7eac9f8377552820dec7bf9d48fbfb

SHA256
a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f

SHA512
8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_right.bmp

Filesize
68B

MD5
2e805b0982cda361e322e201df8cceff

SHA1
a199d51aac3ac44c62b7cf9afae22eea7932c63b

SHA256
c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22

SHA512
dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_right_inactive.bmp

Filesize
68B

MD5
171e23cd227d985b89098c5cc632c144

SHA1
2349eca4f92e1d4dcc2d47bc3d166a7081a5485b

SHA256
c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924

SHA512
d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_left.bmp

Filesize
556B

MD5
d4757da90bf3a96d5ca1b7d8fedf0a1f

SHA1
c4be7503191c6926ad33853b05cc43ad87a6b1e8

SHA256
0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168

SHA512
b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_left_inactive.bmp

Filesize
556B

MD5
df94017171d579959895edc072d39120

SHA1
0c0facceafac06c603f125cc170973851796d961

SHA256
706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8

SHA512
2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_mid.bmp

Filesize
68B

MD5
440363d27344241cf3574cdc43cca3d5

SHA1
cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2

SHA256
358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b

SHA512
4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_mid_inactive.bmp

Filesize
68B

MD5
fc284f137a181d626cbfb9b980265a14

SHA1
af1dc42b8706f65e80b5aa021da38e7c48bf5ac5

SHA256
ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c

SHA512
aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_right.bmp

Filesize
556B

MD5
50656c6f33cb1490eee92cfcf2f4fa80

SHA1
ca5a3fe9b1f6130e6452cedf5d3734781f6e150b

SHA256
ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9

SHA512
b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\frame_top_right_inactive.bmp

Filesize
556B

MD5
4178d84d2cd986063d2a7c91c57295d2

SHA1
fc5ea9402cd9c325716a2b79d070ac3e756c9f2f

SHA256
5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e

SHA512
aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_close_down.bmp

Filesize
1KB

MD5
4e21b56ffc64f5bc7c4248e33801b011

SHA1
39c05ba5b899f37d90b3722e7edc02149eeb365d

SHA256
ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac

SHA512
1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_close_hot.bmp

Filesize
1KB

MD5
2b4492d6f63f5c41aa26de798f68b982

SHA1
2840f9587b63f203639a88731df67c22796155a9

SHA256
be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624

SHA512
fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_close_inactive.bmp

Filesize
1KB

MD5
e7952db81da0e938aae851a1927682bd

SHA1
52d937797974c2a285a1456b133024107eea351d

SHA256
834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f

SHA512
0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_close_normal.bmp

Filesize
1KB

MD5
8d5e21a5aabb3581d5e5a2e5907ef7fb

SHA1
f810a458cc0a28e72e65887a744ccd5be07f4b82

SHA256
5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda

SHA512
86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_min_down.bmp

Filesize
1KB

MD5
ba8de1a4fb2e3ca280cd7a3f72d28bcd

SHA1
4bcb1fbe1390eb0101df72725b34e364ec0cc551

SHA256
a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8

SHA512
dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_min_hot.bmp

Filesize
1KB

MD5
02f22afae35430f2092e77bf1ca577b0

SHA1
91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8

SHA256
d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542

SHA512
fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_min_inactive.bmp

Filesize
1KB

MD5
216e32733b99d128ba7b1de8748a5d12

SHA1
2b857cb52ce605e9b8470683468bf331a86a042d

SHA256
f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3

SHA512
3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2248\sys_min_normal.bmp

Filesize
1KB

MD5
eeda62be091f6ef68d9ba7d76c9cfd84

SHA1
822372b556a550dd93f931b1d115c888d611fd20

SHA256
3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8

SHA512
ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\INAEAFC.tmp

Filesize
1.1MB

MD5
997c2f6dd1f62628663118a7c9c4e0f3

SHA1
5d10acf9f019083719ae4f61118054f494eb7dda

SHA256
c958d2bc34ae214a3fec0337dd877e63d68e09b8f7b98fb502fa67479474ae7d

SHA512
1a7d9eefd712df08b89c8209a04187ec802e236d25b9b71e86cf02aaf3959e6958bec942d779936389a75a190a4f859c604e5a996a852d810c704d416657c59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEB4C.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC49.tmp

Filesize
1.1MB

MD5
7e4ef4bc701a5f46a1fee1a9fdc403f1

SHA1
ab00fc0985d7cae8ccfdae1cd4e687192f079d47

SHA256
34fe948e2b005a424f4e8aff9d9ef847d5623b99196fe5f5e9bff4983770d95a

SHA512
7f8013d024142377aad49fc2c5c30376a4b9dd6c732dbbe3d88d2377965ca9e544d7065c7ee5aa1bd9d29b51f19255335c7ac3f85b5079b1cad710dc74bb8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEE7D.tmp

Filesize
870KB

MD5
65b853552e16654c53ab4d16920a9182

SHA1
9f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5

SHA256
80c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f

SHA512
b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi422.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiF176.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiF177.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Roaming\0988e0f8e08fae8aKHO\VGX\plugins\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\Roaming\0988e0f8e08fae8aKHO\VGX\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\Roaming\0988e0f8e08fae8aKHO\VGX\plugins\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
memory/960-1037-0x00000000009E0000-0x0000000000B03000-memory.dmp

Filesize
1.1MB

Download
memory/960-1040-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/960-1038-0x0000000000730000-0x0000000000795000-memory.dmp

Filesize
404KB

Download
memory/960-1039-0x0000000000B10000-0x0000000000C1A000-memory.dmp

Filesize
1.0MB

Download
memory/960-1121-0x0000000000B10000-0x0000000000C1A000-memory.dmp

Filesize
1.0MB

Download
memory/960-1122-0x0000000000730000-0x0000000000795000-memory.dmp

Filesize
404KB

Download
memory/960-1119-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/960-1118-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/960-1120-0x00000000009E0000-0x0000000000B03000-memory.dmp

Filesize
1.1MB

Download