Analysis Overview
SHA256
ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997
Threat Level: Known bad
The file ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi.vir was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Purplefox family
Gh0strat
Gh0st RAT payload
Gh0strat family
PurpleFox
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Loads dropped DLL
Drops file in Program Files directory
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Event Triggered Execution: Installer Packages
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Uses Volume Shadow Copy service COM API
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 12:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 12:41
Reported
2024-11-16 12:46
Platform
win7-20241023-en
Max time kernel
139s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\hHILqDIvDmMm | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI11BC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f771059.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f771056.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f771057.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f771056.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f771057.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0 | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0e77c342538db01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-16 12:44:09" | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstall = "1" | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Version = "50921476" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\PackageName = "ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA0EF29B5B347844EAFE67E31033BA20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\ProductName = "CPUAimLinux" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\PackageCode = "7BBCCBD37729DC941A30C09D73A0E2DC" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA0EF29B5B347844EAFE67E31033BA20\69C82A5968349984695416D1D691275C | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\69C82A5968349984695416D1D691275C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\69C82A5968349984695416D1D691275C\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69C82A5968349984695416D1D691275C\SourceList | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: 35 | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: 35 | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003DC"
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 5CD0512085322443860EF36EA73C001C M Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 177 -file file3 -mode mode3
C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
"C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241116_124406\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_F773D8D -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f773b8a\ -msgsmname=Global\_wpssetup_message_sm_644
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | im.qq.com | udp |
Files
memory/1112-12-0x0000000000400000-0x0000000000410000-memory.dmp
memory/908-17-0x000000001B510000-0x000000001B7F2000-memory.dmp
memory/908-18-0x0000000002890000-0x0000000002898000-memory.dmp
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt
| MD5 | e233a45f26a7bcba7da4753f8c37adc9 |
| SHA1 | 00878732ed88595ebcb3be39fd3f7584fa2644f0 |
| SHA256 | a55cbb492f4b7ecc032a93555107e641046260bd482cff1575bfe8ba5a6ada8a |
| SHA512 | 50c319e8ea9604b010974223c237a5f9581e616c381203659487ac652907eb4f585e44786c878401b55955d8fe88b167bf03b3b703f793dcbdfcf7d17074e78d |
C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe
| MD5 | eee25c225234065db6432f7de863f264 |
| SHA1 | ac362f95903ba8a92c1a9f38e06bd073d342e013 |
| SHA256 | d092b5b4598c79c4bb0a35f6d0b2aa84df599f9b7323c66f3182d3129e57d7a2 |
| SHA512 | 544fe602951159f43c43ec8f9ae84130f06d81439c6eff76e142daa65ad5ff0f1c3b213bbc5af2c928105b5dc08d7b9e5f766653df71586d3210aad1624b3ea3 |
C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe
| MD5 | db6688b70f3255877e15541970145e68 |
| SHA1 | 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd |
| SHA256 | 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb |
| SHA512 | 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce |
C:\Config.Msi\f771058.rbs
| MD5 | 00cd63df4b7e085795da8edd44bfc85c |
| SHA1 | a83d2e1ba5573783574629fe7eeed0f88cb06852 |
| SHA256 | 651ede53e3a3fa20325fb89fb8594662892a129d52ab2a4853446086ea45135c |
| SHA512 | d30e48fc26f93424e433c1608600166d31174106196333d8b31416c20279701510d903b5532e2747b119b848bfff37b4a7d9109701c1d22f37b263febcef02b3 |
\Users\Admin\AppData\Local\Temp\nst340C.tmp\v6svc_oem.dll
| MD5 | 500318167948bdd3ad42a40721e1a72b |
| SHA1 | 24134691693e6d78d6eb0a0c64833c12a0090968 |
| SHA256 | d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6 |
| SHA512 | 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863 |
\Users\Admin\AppData\Local\Temp\nst340C.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
\Users\Admin\AppData\Local\Temp\nst340C.tmp\AccessControl.dll
| MD5 | 28c87a09fdb49060aa4ab558a2832109 |
| SHA1 | 9213a24964cd479eac91d01ad54190f9c11d0c75 |
| SHA256 | 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f |
| SHA512 | 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d |
memory/1200-75-0x00000000003B0000-0x00000000003DF000-memory.dmp
C:\ProgramData\kingsoft\20241116_124406\oem.ini
| MD5 | 920068869d99afbee8244a2be1e667dd |
| SHA1 | 4fb5d143480d258cb4afa9d009b303a08fc9122b |
| SHA256 | 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f |
| SHA512 | 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | a443a2554bc200c0a01c926a50e94ed4 |
| SHA1 | 778d1a1f30b480e9fda9c60ee2bc4ba05711cbee |
| SHA256 | 57965bea43c7c022ccb1a9de0c8156426a6242dfa38cf8f70761aa1c15de9904 |
| SHA512 | 66c436b785a444ab74adebe17fb1635c587afe21ee3b1e284129c1e1fe1da7128039659b60114fffe4a25f51eb524407814debda15804dfb3718d32f7cdcf734 |
memory/1604-185-0x00000000001B0000-0x00000000001B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\product.dat
| MD5 | bb7426885c5f57b6b9405fdc7a94cc65 |
| SHA1 | 0a58a34a41cbea358fd57d278e9b15e669cc28e6 |
| SHA256 | f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118 |
| SHA512 | 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 88016c1d360030c39c88d854eb03e02c |
| SHA1 | fe48a024b3a76ca6e7ccd6978765166e6aefa3ab |
| SHA256 | ea9f4f86b64b283bdd4c7ac03a4654f23b0b9be12f6a144314cdf12cef840d9c |
| SHA512 | 74fb703a2c6b78e5db9fb55dae123dda7bee88a0c32ce81d3c52db937e3d30fe2b155009c11f2a34948b6cac4811cb74d2a6a649bbebbfd8de9d619333861ddf |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 616e8eb1877ea43699663ba8708c6a84 |
| SHA1 | 73e404b92496146675f90995d0199139773cdd57 |
| SHA256 | 178a7bdd031d2d98f9a8d024c012cb2056aa38d4f1a2ccb5db181b6900ebf7d1 |
| SHA512 | 97ee03546755387655703bf05c4f2bbaa0e3b73be09ee45719d7553dc46876c40ce956242f66a62852e84f2550cc932fecb9a363b45f7e6ca1453d87cb958849 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 21519f4d5f1fea53532a0b152910ef8b |
| SHA1 | 7833ac2c20263c8be42f67151f9234eb8e4a5515 |
| SHA256 | 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1 |
| SHA512 | 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
| MD5 | b181124928d8eb7b6caa0c2c759155cb |
| SHA1 | 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a |
| SHA256 | 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77 |
| SHA512 | 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 86421619dad87870e5f3cc0beb1f7963 |
| SHA1 | 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2 |
| SHA256 | 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab |
| SHA512 | dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
| MD5 | cd3cec3d65ae62fdf044f720245f29c0 |
| SHA1 | c4643779a0f0f377323503f2db8d2e4d74c738ca |
| SHA256 | 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141 |
| SHA512 | aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b5c8334a10b191031769d5de01df9459 |
| SHA1 | 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969 |
| SHA256 | 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d |
| SHA512 | 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\kpacketui.dll
| MD5 | 283a731e55f15516cbefe175ced45d26 |
| SHA1 | 59eb1520c7b7f1ca8faa494426d6c9a64c15e145 |
| SHA256 | 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe |
| SHA512 | 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 4df516604e20d8defb35aaf0fb16a2b5 |
| SHA1 | 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098 |
| SHA256 | 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628 |
| SHA512 | cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5GuiKso.dll
| MD5 | c79bc97c4dc3a9f6beff0d18a0916b15 |
| SHA1 | 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a |
| SHA256 | 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea |
| SHA512 | df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5CoreKso.dll
| MD5 | e847288468d4daadcb8f5a8bb152e923 |
| SHA1 | 574f7b2d1def9d79c4257c4268246fb399041bf6 |
| SHA256 | dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5 |
| SHA512 | b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f364190706414020c02cf4d531e0229d |
| SHA1 | 5899230b0d7ad96121c3be0df99235ddd8a47dc6 |
| SHA256 | a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2 |
| SHA512 | a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 3dfb82541979a23a9deb5fd4dcfb6b22 |
| SHA1 | 5da1d02b764917b38fdc34f4b41fb9a599105dd9 |
| SHA256 | 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb |
| SHA512 | f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 461d5af3277efb5f000b9df826581b80 |
| SHA1 | 935b00c88c2065f98746e2b4353d4369216f1812 |
| SHA256 | f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf |
| SHA512 | 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0979785e3ef8137cdd47c797adcb96e3 |
| SHA1 | 4051c6eb37a4c0dba47b58301e63df76bff347dd |
| SHA256 | d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257 |
| SHA512 | e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | e680d10a2632b3bcc9e87790b11c9fc5 |
| SHA1 | c97b51036952a79e7173e672f59492487902952a |
| SHA256 | ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329 |
| SHA512 | cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d0b6a2caec62f5477e4e36b991563041 |
| SHA1 | 8396e1e02dace6ae4dde33b3e432a3581bc38f5d |
| SHA256 | fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf |
| SHA512 | 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a1b6cebd3d7a8b25b9a9cbc18d03a00c |
| SHA1 | 5516de099c49e0e6d1224286c3dc9b4d7985e913 |
| SHA256 | 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362 |
| SHA512 | a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 50b721a0c945abe3edca6bcee2a70c6c |
| SHA1 | f35b3157818d4a5af3486b5e2e70bb510ac05eff |
| SHA256 | db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d |
| SHA512 | ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 88f89d0f2bd5748ed1af75889e715e6a |
| SHA1 | 8ada489b9ff33530a3fb7161cc07b5b11dfb8909 |
| SHA256 | 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc |
| SHA512 | 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5765103e1f5412c43295bd752ccaea03 |
| SHA1 | 6913bf1624599e55680a0292e22c89cab559db81 |
| SHA256 | 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4 |
| SHA512 | 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a6a9dfb31be2510f6dbfedd476c6d15a |
| SHA1 | cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7 |
| SHA256 | 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c |
| SHA512 | b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 4f06da894ea013a5e18b8b84a9836d5a |
| SHA1 | 40cf36e07b738aa8bba58bc5587643326ff412a9 |
| SHA256 | 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732 |
| SHA512 | 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | b6a37f22541908b36755c1b2907f4972 |
| SHA1 | 1327b11691fe35918cedfaf35b7c3f2c040f07d0 |
| SHA256 | 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977 |
| SHA512 | bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | ce3eb6e3e6d950fb03ed3753baafd6d1 |
| SHA1 | cadd8a045a037a9ce10372b0d1a6907f7c9b93d1 |
| SHA256 | d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c |
| SHA512 | 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | b2555aac6faa3c776c7963538e3d642c |
| SHA1 | 01d7a80ce29872195770b6a76854d4e0e5576325 |
| SHA256 | 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f |
| SHA512 | 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\Qt5SvgKso.dll
| MD5 | d7207f0e20b9ec71399fb9914ffb8278 |
| SHA1 | e862601902fb95f2cd2b79370dc0547cf382ccd5 |
| SHA256 | 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0 |
| SHA512 | 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8 |
\Users\Admin\AppData\Local\Temp\wps\~f773b8a\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 90b1c6c13aa734636f94ac73d295c87a |
| SHA1 | d5a9ab0696de39719bdb9bb71eb35353a8552525 |
| SHA256 | d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406 |
| SHA512 | 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 12:41
Reported
2024-11-16 12:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\I: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\J: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\M: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\U: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\R: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\W: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\L: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\V: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\X: | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\hHILqDIvDmMm | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\hHILqDIvDmMm | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| File created | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{95A28C96-4386-4899-9645-611D6D1972C5} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1289.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e580a8c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e580a8a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e580a8a.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| N/A | N/A | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0 | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-16 12:44:18" | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1" | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\WScript.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: 35 | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: 35 | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed8339884443bacb025859838dbecc918aab32be7e41b93970f1983bb6435997.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8B02F1D9E4BD2C1A17F153163662D36B E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt" -o"C:\Program Files\CPUAimLinux\" -p"45197ey[d^pAOf{#@@Sn" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
"C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe" x "C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_chStxoxuRIWqJPhAEpoedGhIhshNCk.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"30487h]~8_+KDe=E3}A&" -y
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 177 -file file3 -mode mode3
C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe
"C:\Program Files\CPUAimLinux\WPS_Setup_18608.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241116_124414\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E584707 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\ -msgsmname=Global\_wpssetup_message_sm_3C4
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 287 -file file3 -mode mode3
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.26.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsfgdg5641rfe.icu | udp |
| HK | 38.47.221.100:80 | dsfgdg5641rfe.icu | tcp |
| HK | 118.107.29.131:13000 | tcp | |
| US | 8.8.8.8:53 | 100.221.47.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.29.107.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgh523fg4juty.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | 35.218.47.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e160f6af-4c9a-47e4-847d-eb504dff3f2f}_OnDiskSnapshotProp
| MD5 | 8fc0497485f71adc53dceb358b82f7e3 |
| SHA1 | 9b5e9a37c756328cb2ca1a5b11190faf3e4b1053 |
| SHA256 | f9d2df40b2abcc6bfb69e83e7a46159bfe4f0c80b7040582374b1b81386b4814 |
| SHA512 | ee492593e7c6e9b62f49bd1f173d880ba194df26434cd637e722fc68e9401b190421c5f3a95ee33bbae00849f822d0f721321e0ab99660d548e3d69ef8250a81 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | efbd0670c7a3f789d80ea8a8b39ff4cc |
| SHA1 | b88af4aa4dbfc60e8b75987939b9d0805e55b5e5 |
| SHA256 | dcfc5fee73dd6d545544696dac570aeb077ecc4f8e9911d31782b3acb5880cd8 |
| SHA512 | 5c500c26ad0d1f6ceaa07f354ce75c9618d48dde6f92d6e4d62f561c73988e461ad2864f564b4fc48b6b0cabbc55ecad120fd953f434830b115b5261f1e2c3c9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhquht32.y10.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1848-15-0x0000024C1D240000-0x0000024C1D262000-memory.dmp
C:\Program Files\CPUAimLinux\oBGpvCOsXZJroRXUFejtZSteQdRKYn.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\CPUAimLinux\fGLiHZxoRKSusbcIKqgqcOdcejVlmt
| MD5 | e233a45f26a7bcba7da4753f8c37adc9 |
| SHA1 | 00878732ed88595ebcb3be39fd3f7584fa2644f0 |
| SHA256 | a55cbb492f4b7ecc032a93555107e641046260bd482cff1575bfe8ba5a6ada8a |
| SHA512 | 50c319e8ea9604b010974223c237a5f9581e616c381203659487ac652907eb4f585e44786c878401b55955d8fe88b167bf03b3b703f793dcbdfcf7d17074e78d |
C:\Program Files\CPUAimLinux\VjWngwTLyUFMvrqdGBJVcAiVFJgCRe
| MD5 | eee25c225234065db6432f7de863f264 |
| SHA1 | ac362f95903ba8a92c1a9f38e06bd073d342e013 |
| SHA256 | d092b5b4598c79c4bb0a35f6d0b2aa84df599f9b7323c66f3182d3129e57d7a2 |
| SHA512 | 544fe602951159f43c43ec8f9ae84130f06d81439c6eff76e142daa65ad5ff0f1c3b213bbc5af2c928105b5dc08d7b9e5f766653df71586d3210aad1624b3ea3 |
C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe
| MD5 | db6688b70f3255877e15541970145e68 |
| SHA1 | 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd |
| SHA256 | 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb |
| SHA512 | 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce |
memory/1780-54-0x0000000001130000-0x000000000115F000-memory.dmp
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs
| MD5 | 6c1dc3d5a28bb7d9cd6b3727ea453446 |
| SHA1 | 1fef050968fb54a54ec19c3b620d2f19706baac8 |
| SHA256 | 6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a |
| SHA512 | 08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad |
memory/2988-60-0x0000000000470000-0x0000000000546000-memory.dmp
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml
| MD5 | dcdff8627dbc3f97725994e4feef092b |
| SHA1 | 8f3abbe5d2b9f1c9453430bca3b30fd09d9e2f88 |
| SHA256 | 9833b49bc0c34be7c3ac999f79e7d7ea5a6af9251cc39a7fec8b5a100b9788df |
| SHA512 | e1fe2f1a2e0dd01a49f5caa0a75d311dfa913e33e499dfda53a9725732228c52d4dab9784bf7b7baba11eef845909fd8ca7847a8f2fb8d4aa3e8ff45f624dd6d |
C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\v6svc_oem.dll
| MD5 | 500318167948bdd3ad42a40721e1a72b |
| SHA1 | 24134691693e6d78d6eb0a0c64833c12a0090968 |
| SHA256 | d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6 |
| SHA512 | 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863 |
C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\Users\Admin\AppData\Local\Temp\nsa3A07.tmp\AccessControl.dll
| MD5 | 28c87a09fdb49060aa4ab558a2832109 |
| SHA1 | 9213a24964cd479eac91d01ad54190f9c11d0c75 |
| SHA256 | 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f |
| SHA512 | 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d |
C:\ProgramData\kingsoft\20241116_124414\oem.ini
| MD5 | 920068869d99afbee8244a2be1e667dd |
| SHA1 | 4fb5d143480d258cb4afa9d009b303a08fc9122b |
| SHA256 | 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f |
| SHA512 | 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 8819891f01d0b1499dad300726ab6c02 |
| SHA1 | cfda5b0ed94d56c616da542a20c0db97c720e2cf |
| SHA256 | 7d2f6dc6fc35c36c005fd2d82a514afe9a267b29e856fe34afd1c289ef4f66c9 |
| SHA512 | 81b85ef7b0c86513b8d64d0a2b5eaa027fbe8f9e039bb020fb5fe65ebde7b7c28e606fc7a43622f0278b6fd583bf8b03d301927defedb14e637bef2a7118bed7 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 63604f53a8d7db7fa9bc8bd898ff9a6b |
| SHA1 | b70605e91b4e33540f72d02317b3ea6be23b102a |
| SHA256 | cdc6dbee4e23a953a7a031a2f831f6e6053447cc9a3bf10058a1d5c24f919a33 |
| SHA512 | 169c7933dbb02123de94f2871cb6800c639cc6310252ba6a35217da028a67e8f6b41b598575ddee2df7bf2705713acc3bd6560aa5ce0550bf532c4d05ab0d267 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\product.dat
| MD5 | bb7426885c5f57b6b9405fdc7a94cc65 |
| SHA1 | 0a58a34a41cbea358fd57d278e9b15e669cc28e6 |
| SHA256 | f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118 |
| SHA512 | 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 83e40fd54b1f5d1ae6e39c9e53d564a6 |
| SHA1 | e278a68e18b936f5b5135b0d35d4c294fadd5351 |
| SHA256 | cce6849a1f15598b3c769fe985857c2935c49b4d49af6622a6efa29fdedc238b |
| SHA512 | 546553180f363b3983da410e2d632cfed1022a4ed218b996cf1657074561399f0152fa1f7c8339d4585f69493b458b5f2a7dcfb1da37d9424929f6fa3f9de9ae |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\kpacketui.dll
| MD5 | 283a731e55f15516cbefe175ced45d26 |
| SHA1 | 59eb1520c7b7f1ca8faa494426d6c9a64c15e145 |
| SHA256 | 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe |
| SHA512 | 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | e680d10a2632b3bcc9e87790b11c9fc5 |
| SHA1 | c97b51036952a79e7173e672f59492487902952a |
| SHA256 | ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329 |
| SHA512 | cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 4df516604e20d8defb35aaf0fb16a2b5 |
| SHA1 | 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098 |
| SHA256 | 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628 |
| SHA512 | cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5CoreKso.dll
| MD5 | e847288468d4daadcb8f5a8bb152e923 |
| SHA1 | 574f7b2d1def9d79c4257c4268246fb399041bf6 |
| SHA256 | dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5 |
| SHA512 | b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5GuiKso.dll
| MD5 | c79bc97c4dc3a9f6beff0d18a0916b15 |
| SHA1 | 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a |
| SHA256 | 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea |
| SHA512 | df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | b6a37f22541908b36755c1b2907f4972 |
| SHA1 | 1327b11691fe35918cedfaf35b7c3f2c040f07d0 |
| SHA256 | 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977 |
| SHA512 | bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | ce3eb6e3e6d950fb03ed3753baafd6d1 |
| SHA1 | cadd8a045a037a9ce10372b0d1a6907f7c9b93d1 |
| SHA256 | d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c |
| SHA512 | 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | b2555aac6faa3c776c7963538e3d642c |
| SHA1 | 01d7a80ce29872195770b6a76854d4e0e5576325 |
| SHA256 | 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f |
| SHA512 | 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 90b1c6c13aa734636f94ac73d295c87a |
| SHA1 | d5a9ab0696de39719bdb9bb71eb35353a8552525 |
| SHA256 | d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406 |
| SHA512 | 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5844f3\CONTROL\office6\Qt5SvgKso.dll
| MD5 | d7207f0e20b9ec71399fb9914ffb8278 |
| SHA1 | e862601902fb95f2cd2b79370dc0547cf382ccd5 |
| SHA256 | 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0 |
| SHA512 | 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log
| MD5 | f8a5d3973751c49ee1f827e2150c6c0b |
| SHA1 | 4e042ee44c1990f1ea7ab8e0110033fde6c232aa |
| SHA256 | fe445df0dba633c20959959bc12f12d10e7cf03df2aa9efc8e35283546f5e3fc |
| SHA512 | 92f05bc5769b030583995e43c2e2e7277b41f76e7d0f810431befaaf54bd3afcd22a8e90f89ad4f60db1940c17aabd512371cd04fe8b86b1bffb4c3632090526 |
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log
| MD5 | d423b022ff201191a55638e0c6cab556 |
| SHA1 | aae13a3498585e097259d1edce3efd30bd532260 |
| SHA256 | 5cc54f3892324766b4948732168bae63416a35a31db53eb2f68ca746f423efd5 |
| SHA512 | fa3d530543c530432aa30b1136f5aaa58d4ba2bfec39582e51c61ee2f3ea071b8ee746a56c50cc99a2c424dbda002180422afdb2990e31b7a89831184ac59b81 |
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log
| MD5 | c8e01b5e6ed6eda38d1f1949b5f766e1 |
| SHA1 | 4f0f04ca59094e743d525967129ddffbcb7795df |
| SHA256 | affcce6acccb02f8ee4427a88dc2cdfe842424357136f3ffb630177b05d651d4 |
| SHA512 | 75989e2a21bae8b39a4d717a87e09bb3c1e5b6f58cec4099ac0653505be05b788659bcf828fde38669fbb65129866d3f3954ccaa57f95687e244a60af18c5e27 |
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log
| MD5 | 7427ece95e6fa44c1548dc00bdb96aeb |
| SHA1 | 71ead5ad0713f88fb4c21a2270c9d78d2d1f7fa3 |
| SHA256 | e384f7b838d27a360cd0b205c45accdba38236781440695cf7a2d08661ecd97f |
| SHA512 | 2efda5891c84eac480c2282bdc20d3ee97b9c9c0ad5fa08a3402d23ed8f072413ea4fc96c6326db2e7f1afc292d02025fcecbce737ff1ac9f6e3e07871386abc |
memory/3692-407-0x000000002A590000-0x000000002A5DD000-memory.dmp
memory/3692-408-0x000000002C1A0000-0x000000002C35C000-memory.dmp
memory/3692-410-0x000000002C1A0000-0x000000002C35C000-memory.dmp
memory/3692-411-0x000000002C1A0000-0x000000002C35C000-memory.dmp
memory/3692-412-0x000000002C1A0000-0x000000002C35C000-memory.dmp