Malware Analysis Report

2024-12-07 14:03

Sample ID 241116-pw69gazral
Target ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi.vir
SHA256 ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997

Threat Level: Known bad

The file ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Detect PurpleFox Rootkit

Purplefox family

Gh0strat

Gh0st RAT payload

Gh0strat family

PurpleFox

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Drops file in Program Files directory

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 12:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 12:41

Reported

2024-11-16 12:46

Platform

win7-20241023-en

Max time kernel

139s

Max time network

133s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File created C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI11BC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771059.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f771056.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771057.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f771056.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f771057.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0 C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0e77c342538db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-16 12:44:09" C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstall = "1" C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Version = "50921476" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\PackageName = "ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA0EF29B5B347844EAFE67E31033BA20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\ProductName = "CPUAimLinux" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\PackageCode = "7BBCCBD37729DC941A30C09D73A0E2DC" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA0EF29B5B347844EAFE67E31033BA20\69C82A5968349984695416D1D691275C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\69C82A5968349984695416D1D691275C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\69C82A5968349984695416D1D691275C\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2304 wrote to memory of 1112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2304 wrote to memory of 1112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2304 wrote to memory of 1112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2304 wrote to memory of 1112 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1112 wrote to memory of 908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 1984 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 1984 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 1984 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1984 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 1112 wrote to memory of 1200 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1112 wrote to memory of 1200 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1112 wrote to memory of 1200 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1112 wrote to memory of 1200 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 2832 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 1112 wrote to memory of 448 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1112 wrote to memory of 448 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1112 wrote to memory of 448 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
PID 2832 wrote to memory of 1604 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003DC"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 5CD0512085322443860EF36EA73C001C M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 177 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe

"C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#

C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_F773D8D -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f773b8a\ -msgsmname=Global\_wpssetup_message_sm_644

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/1112-12-0x0000000000400000-0x0000000000410000-memory.dmp

memory/908-17-0x000000001B510000-0x000000001B7F2000-memory.dmp

memory/908-18-0x0000000002890000-0x0000000002898000-memory.dmp

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt

MD5 e233a45f26a7bcba7da4753f8c37adc9
SHA1 00878732ed88595ebcb3be39fd3f7584fa2644f0
SHA256 a55cbb492f4b7ecc032a93555107e641046260bd482cff1575bfe8ba5a6ada8a
SHA512 50c319e8ea9604b010974223c237a5f9581e616c381203659487ac652907eb4f585e44786c878401b55955d8fe88b167bf03b3b703f793dcbdfcf7d17074e78d

C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe

MD5 eee25c225234065db6432f7de863f264
SHA1 ac362f95903ba8a92c1a9f38e06bd073d342e013
SHA256 d092b5b4598c79c4bb0a35f6d0b2aa84df599f9b7323c66f3182d3129e57d7a2
SHA512 544fe602951159f43c43ec8f9ae84130f06d81439c6eff76e142daa65ad5ff0f1c3b213bbc5af2c928105b5dc08d7b9e5f766653df71586d3210aad1624b3ea3

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

C:\Config.Msi\f771058.rbs

MD5 00cd63df4b7e085795da8edd44bfc85c
SHA1 a83d2e1ba5573783574629fe7eeed0f88cb06852
SHA256 651ede53e3a3fa20325fb89fb8594662892a129d52ab2a4853446086ea45135c
SHA512 d30e48fc26f93424e433c1608600166d31174106196333d8b31416c20279701510d903b5532e2747b119b848bfff37b4a7d9109701c1d22f37b263febcef02b3

\Users\Admin\AppData\Local\Temp\nst340C.tmp\v6svc_oem.dll

MD5 500318167948bdd3ad42a40721e1a72b
SHA1 24134691693e6d78d6eb0a0c64833c12a0090968
SHA256 d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA512 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

\Users\Admin\AppData\Local\Temp\nst340C.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

\Users\Admin\AppData\Local\Temp\nst340C.tmp\AccessControl.dll

MD5 28c87a09fdb49060aa4ab558a2832109
SHA1 9213a24964cd479eac91d01ad54190f9c11d0c75
SHA256 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

memory/1200-75-0x00000000003B0000-0x00000000003DF000-memory.dmp

C:\ProgramData\kingsoft\20241116_124406\oem.ini

MD5 920068869d99afbee8244a2be1e667dd
SHA1 4fb5d143480d258cb4afa9d009b303a08fc9122b
SHA256 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f
SHA512 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 a443a2554bc200c0a01c926a50e94ed4
SHA1 778d1a1f30b480e9fda9c60ee2bc4ba05711cbee
SHA256 57965bea43c7c022ccb1a9de0c8156426a6242dfa38cf8f70761aa1c15de9904
SHA512 66c436b785a444ab74adebe17fb1635c587afe21ee3b1e284129c1e1fe1da7128039659b60114fffe4a25f51eb524407814debda15804dfb3718d32f7cdcf734

memory/1604-185-0x00000000001B0000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\product.dat

MD5 bb7426885c5f57b6b9405fdc7a94cc65
SHA1 0a58a34a41cbea358fd57d278e9b15e669cc28e6
SHA256 f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118
SHA512 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 88016c1d360030c39c88d854eb03e02c
SHA1 fe48a024b3a76ca6e7ccd6978765166e6aefa3ab
SHA256 ea9f4f86b64b283bdd4c7ac03a4654f23b0b9be12f6a144314cdf12cef840d9c
SHA512 74fb703a2c6b78e5db9fb55dae123dda7bee88a0c32ce81d3c52db937e3d30fe2b155009c11f2a34948b6cac4811cb74d2a6a649bbebbfd8de9d619333861ddf

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 616e8eb1877ea43699663ba8708c6a84
SHA1 73e404b92496146675f90995d0199139773cdd57
SHA256 178a7bdd031d2d98f9a8d024c012cb2056aa38d4f1a2ccb5db181b6900ebf7d1
SHA512 97ee03546755387655703bf05c4f2bbaa0e3b73be09ee45719d7553dc46876c40ce956242f66a62852e84f2550cc932fecb9a363b45f7e6ca1453d87cb958849

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

MD5 21519f4d5f1fea53532a0b152910ef8b
SHA1 7833ac2c20263c8be42f67151f9234eb8e4a5515
SHA256 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA512 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

MD5 b181124928d8eb7b6caa0c2c759155cb
SHA1 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA256 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA512 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

MD5 86421619dad87870e5f3cc0beb1f7963
SHA1 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA256 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512 dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

MD5 cd3cec3d65ae62fdf044f720245f29c0
SHA1 c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512 aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

MD5 b5c8334a10b191031769d5de01df9459
SHA1 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA256 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA512 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\kpacketui.dll

MD5 283a731e55f15516cbefe175ced45d26
SHA1 59eb1520c7b7f1ca8faa494426d6c9a64c15e145
SHA256 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe
SHA512 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 4df516604e20d8defb35aaf0fb16a2b5
SHA1 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098
SHA256 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628
SHA512 cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5GuiKso.dll

MD5 c79bc97c4dc3a9f6beff0d18a0916b15
SHA1 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a
SHA256 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea
SHA512 df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5CoreKso.dll

MD5 e847288468d4daadcb8f5a8bb152e923
SHA1 574f7b2d1def9d79c4257c4268246fb399041bf6
SHA256 dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5
SHA512 b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\msvcp140.dll

MD5 db1e9807b717b91ac6df6262141bd99f
SHA1 f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA256 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512 f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

MD5 f364190706414020c02cf4d531e0229d
SHA1 5899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256 a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512 a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

MD5 3dfb82541979a23a9deb5fd4dcfb6b22
SHA1 5da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA256 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512 f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

MD5 461d5af3277efb5f000b9df826581b80
SHA1 935b00c88c2065f98746e2b4353d4369216f1812
SHA256 f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

MD5 0979785e3ef8137cdd47c797adcb96e3
SHA1 4051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256 d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512 e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5WidgetsKso.dll

MD5 e680d10a2632b3bcc9e87790b11c9fc5
SHA1 c97b51036952a79e7173e672f59492487902952a
SHA256 ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329
SHA512 cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

MD5 d0b6a2caec62f5477e4e36b991563041
SHA1 8396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256 fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA512 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA1 5516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512 a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

MD5 50b721a0c945abe3edca6bcee2a70c6c
SHA1 f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256 db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512 ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

MD5 88f89d0f2bd5748ed1af75889e715e6a
SHA1 8ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA256 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA512 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5765103e1f5412c43295bd752ccaea03
SHA1 6913bf1624599e55680a0292e22c89cab559db81
SHA256 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA512 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

MD5 a6a9dfb31be2510f6dbfedd476c6d15a
SHA1 cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512 b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

MD5 4f06da894ea013a5e18b8b84a9836d5a
SHA1 40cf36e07b738aa8bba58bc5587643326ff412a9
SHA256 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA512 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\vcruntime140.dll

MD5 8fdb26199d64ae926509f5606460f573
SHA1 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256 f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512 f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 b6a37f22541908b36755c1b2907f4972
SHA1 1327b11691fe35918cedfaf35b7c3f2c040f07d0
SHA256 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977
SHA512 bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 ce3eb6e3e6d950fb03ed3753baafd6d1
SHA1 cadd8a045a037a9ce10372b0d1a6907f7c9b93d1
SHA256 d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c
SHA512 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 b2555aac6faa3c776c7963538e3d642c
SHA1 01d7a80ce29872195770b6a76854d4e0e5576325
SHA256 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f
SHA512 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5SvgKso.dll

MD5 d7207f0e20b9ec71399fb9914ffb8278
SHA1 e862601902fb95f2cd2b79370dc0547cf382ccd5
SHA256 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0
SHA512 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 90b1c6c13aa734636f94ac73d295c87a
SHA1 d5a9ab0696de39719bdb9bb71eb35353a8552525
SHA256 d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406
SHA512 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 12:41

Reported

2024-11-16 12:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\I: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Y: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\M: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\U: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\R: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\W: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\L: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Z: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\V: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\X: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened for modification C:\Program Files\CPUAimLinux C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{95A28C96-4386-4899-9645-611D6D1972C5} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1289.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e580a8c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e580a8a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e580a8a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0 C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-16 12:44:18" C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1" C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 4388 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1268 wrote to memory of 4388 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1268 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1268 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4068 wrote to memory of 1848 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1848 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4540 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4068 wrote to memory of 4540 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4540 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4540 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4540 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4540 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4540 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4540 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4540 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4540 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
PID 4068 wrote to memory of 1780 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4068 wrote to memory of 1780 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4068 wrote to memory of 1780 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
PID 4068 wrote to memory of 1472 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 4068 wrote to memory of 1472 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 3556 wrote to memory of 964 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe
PID 3556 wrote to memory of 964 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe
PID 3556 wrote to memory of 964 N/A C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe
PID 4508 wrote to memory of 1532 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4508 wrote to memory of 1532 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4508 wrote to memory of 1532 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1532 wrote to memory of 3692 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1532 wrote to memory of 3692 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1532 wrote to memory of 3692 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 8B02F1D9E4BD2C1A17F153163662D36B E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 177 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe

"C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#

C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E584707 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\ -msgsmname=Global\_wpssetup_message_sm_3C4

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 287 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 3.26.192.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 100.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 131.29.107.118.in-addr.arpa udp
US 8.8.8.8:53 fgh523fg4juty.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 35.218.47.38.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e160f6af-4c9a-47e4-847d-eb504dff3f2f}_OnDiskSnapshotProp

MD5 8fc0497485f71adc53dceb358b82f7e3
SHA1 9b5e9a37c756328cb2ca1a5b11190faf3e4b1053
SHA256 f9d2df40b2abcc6bfb69e83e7a46159bfe4f0c80b7040582374b1b81386b4814
SHA512 ee492593e7c6e9b62f49bd1f173d880ba194df26434cd637e722fc68e9401b190421c5f3a95ee33bbae00849f822d0f721321e0ab99660d548e3d69ef8250a81

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 efbd0670c7a3f789d80ea8a8b39ff4cc
SHA1 b88af4aa4dbfc60e8b75987939b9d0805e55b5e5
SHA256 dcfc5fee73dd6d545544696dac570aeb077ecc4f8e9911d31782b3acb5880cd8
SHA512 5c500c26ad0d1f6ceaa07f354ce75c9618d48dde6f92d6e4d62f561c73988e461ad2864f564b4fc48b6b0cabbc55ecad120fd953f434830b115b5261f1e2c3c9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhquht32.y10.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1848-15-0x0000024C1D240000-0x0000024C1D262000-memory.dmp

C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt

MD5 e233a45f26a7bcba7da4753f8c37adc9
SHA1 00878732ed88595ebcb3be39fd3f7584fa2644f0
SHA256 a55cbb492f4b7ecc032a93555107e641046260bd482cff1575bfe8ba5a6ada8a
SHA512 50c319e8ea9604b010974223c237a5f9581e616c381203659487ac652907eb4f585e44786c878401b55955d8fe88b167bf03b3b703f793dcbdfcf7d17074e78d

C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe

MD5 eee25c225234065db6432f7de863f264
SHA1 ac362f95903ba8a92c1a9f38e06bd073d342e013
SHA256 d092b5b4598c79c4bb0a35f6d0b2aa84df599f9b7323c66f3182d3129e57d7a2
SHA512 544fe602951159f43c43ec8f9ae84130f06d81439c6eff76e142daa65ad5ff0f1c3b213bbc5af2c928105b5dc08d7b9e5f766653df71586d3210aad1624b3ea3

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

memory/1780-54-0x0000000001130000-0x000000000115F000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs

MD5 6c1dc3d5a28bb7d9cd6b3727ea453446
SHA1 1fef050968fb54a54ec19c3b620d2f19706baac8
SHA256 6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a
SHA512 08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad

memory/2988-60-0x0000000000470000-0x0000000000546000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml

MD5 dcdff8627dbc3f97725994e4feef092b
SHA1 8f3abbe5d2b9f1c9453430bca3b30fd09d9e2f88
SHA256 9833b49bc0c34be7c3ac999f79e7d7ea5a6af9251cc39a7fec8b5a100b9788df
SHA512 e1fe2f1a2e0dd01a49f5caa0a75d311dfa913e33e499dfda53a9725732228c52d4dab9784bf7b7baba11eef845909fd8ca7847a8f2fb8d4aa3e8ff45f624dd6d

C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\v6svc_oem.dll

MD5 500318167948bdd3ad42a40721e1a72b
SHA1 24134691693e6d78d6eb0a0c64833c12a0090968
SHA256 d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA512 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\AccessControl.dll

MD5 28c87a09fdb49060aa4ab558a2832109
SHA1 9213a24964cd479eac91d01ad54190f9c11d0c75
SHA256 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

C:\ProgramData\kingsoft\20241116_124414\oem.ini

MD5 920068869d99afbee8244a2be1e667dd
SHA1 4fb5d143480d258cb4afa9d009b303a08fc9122b
SHA256 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f
SHA512 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 8819891f01d0b1499dad300726ab6c02
SHA1 cfda5b0ed94d56c616da542a20c0db97c720e2cf
SHA256 7d2f6dc6fc35c36c005fd2d82a514afe9a267b29e856fe34afd1c289ef4f66c9
SHA512 81b85ef7b0c86513b8d64d0a2b5eaa027fbe8f9e039bb020fb5fe65ebde7b7c28e606fc7a43622f0278b6fd583bf8b03d301927defedb14e637bef2a7118bed7

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 63604f53a8d7db7fa9bc8bd898ff9a6b
SHA1 b70605e91b4e33540f72d02317b3ea6be23b102a
SHA256 cdc6dbee4e23a953a7a031a2f831f6e6053447cc9a3bf10058a1d5c24f919a33
SHA512 169c7933dbb02123de94f2871cb6800c639cc6310252ba6a35217da028a67e8f6b41b598575ddee2df7bf2705713acc3bd6560aa5ce0550bf532c4d05ab0d267

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\product.dat

MD5 bb7426885c5f57b6b9405fdc7a94cc65
SHA1 0a58a34a41cbea358fd57d278e9b15e669cc28e6
SHA256 f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118
SHA512 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 83e40fd54b1f5d1ae6e39c9e53d564a6
SHA1 e278a68e18b936f5b5135b0d35d4c294fadd5351
SHA256 cce6849a1f15598b3c769fe985857c2935c49b4d49af6622a6efa29fdedc238b
SHA512 546553180f363b3983da410e2d632cfed1022a4ed218b996cf1657074561399f0152fa1f7c8339d4585f69493b458b5f2a7dcfb1da37d9424929f6fa3f9de9ae

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\kpacketui.dll

MD5 283a731e55f15516cbefe175ced45d26
SHA1 59eb1520c7b7f1ca8faa494426d6c9a64c15e145
SHA256 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe
SHA512 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5WidgetsKso.dll

MD5 e680d10a2632b3bcc9e87790b11c9fc5
SHA1 c97b51036952a79e7173e672f59492487902952a
SHA256 ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329
SHA512 cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\msvcp140.dll

MD5 db1e9807b717b91ac6df6262141bd99f
SHA1 f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA256 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512 f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 4df516604e20d8defb35aaf0fb16a2b5
SHA1 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098
SHA256 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628
SHA512 cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5CoreKso.dll

MD5 e847288468d4daadcb8f5a8bb152e923
SHA1 574f7b2d1def9d79c4257c4268246fb399041bf6
SHA256 dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5
SHA512 b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\vcruntime140.dll

MD5 8fdb26199d64ae926509f5606460f573
SHA1 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256 f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512 f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5GuiKso.dll

MD5 c79bc97c4dc3a9f6beff0d18a0916b15
SHA1 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a
SHA256 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea
SHA512 df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 b6a37f22541908b36755c1b2907f4972
SHA1 1327b11691fe35918cedfaf35b7c3f2c040f07d0
SHA256 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977
SHA512 bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 ce3eb6e3e6d950fb03ed3753baafd6d1
SHA1 cadd8a045a037a9ce10372b0d1a6907f7c9b93d1
SHA256 d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c
SHA512 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 b2555aac6faa3c776c7963538e3d642c
SHA1 01d7a80ce29872195770b6a76854d4e0e5576325
SHA256 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f
SHA512 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 90b1c6c13aa734636f94ac73d295c87a
SHA1 d5a9ab0696de39719bdb9bb71eb35353a8552525
SHA256 d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406
SHA512 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5SvgKso.dll

MD5 d7207f0e20b9ec71399fb9914ffb8278
SHA1 e862601902fb95f2cd2b79370dc0547cf382ccd5
SHA256 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0
SHA512 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 f8a5d3973751c49ee1f827e2150c6c0b
SHA1 4e042ee44c1990f1ea7ab8e0110033fde6c232aa
SHA256 fe445df0dba633c20959959bc12f12d10e7cf03df2aa9efc8e35283546f5e3fc
SHA512 92f05bc5769b030583995e43c2e2e7277b41f76e7d0f810431befaaf54bd3afcd22a8e90f89ad4f60db1940c17aabd512371cd04fe8b86b1bffb4c3632090526

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 d423b022ff201191a55638e0c6cab556
SHA1 aae13a3498585e097259d1edce3efd30bd532260
SHA256 5cc54f3892324766b4948732168bae63416a35a31db53eb2f68ca746f423efd5
SHA512 fa3d530543c530432aa30b1136f5aaa58d4ba2bfec39582e51c61ee2f3ea071b8ee746a56c50cc99a2c424dbda002180422afdb2990e31b7a89831184ac59b81

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 c8e01b5e6ed6eda38d1f1949b5f766e1
SHA1 4f0f04ca59094e743d525967129ddffbcb7795df
SHA256 affcce6acccb02f8ee4427a88dc2cdfe842424357136f3ffb630177b05d651d4
SHA512 75989e2a21bae8b39a4d717a87e09bb3c1e5b6f58cec4099ac0653505be05b788659bcf828fde38669fbb65129866d3f3954ccaa57f95687e244a60af18c5e27

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 7427ece95e6fa44c1548dc00bdb96aeb
SHA1 71ead5ad0713f88fb4c21a2270c9d78d2d1f7fa3
SHA256 e384f7b838d27a360cd0b205c45accdba38236781440695cf7a2d08661ecd97f
SHA512 2efda5891c84eac480c2282bdc20d3ee97b9c9c0ad5fa08a3402d23ed8f072413ea4fc96c6326db2e7f1afc292d02025fcecbce737ff1ac9f6e3e07871386abc

memory/3692-407-0x000000002A590000-0x000000002A5DD000-memory.dmp

memory/3692-408-0x000000002C1A0000-0x000000002C35C000-memory.dmp

memory/3692-410-0x000000002C1A0000-0x000000002C35C000-memory.dmp

memory/3692-411-0x000000002C1A0000-0x000000002C35C000-memory.dmp

memory/3692-412-0x000000002C1A0000-0x000000002C35C000-memory.dmp