Malware Analysis Report

2024-12-07 13:46

Sample ID 241118-d8r5jaxhqm
Target WPS_Setup.msi.vir
SHA256 84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957

Threat Level: Known bad

The file WPS_Setup.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0strat family

PurpleFox

Gh0strat

Purplefox family

Detect PurpleFox Rootkit

Gh0st RAT payload

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy service COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 03:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 03:41

Reported

2024-11-18 03:45

Platform

win7-20240903-en

Max time kernel

117s

Max time network

126s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76e0be.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e0bf.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76e0be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE3AB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e0c1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e0bf.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-18 03:42:51" C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstall = "1" C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0c7a9eb6b39db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0 C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Version = "67108871" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\ProductName = "EnsureOptimizedConsultant" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\PackageCode = "17A50817543FBC240997BC3912996FE2" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\PackageName = "WPS_Setup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: 35 N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: 35 N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1904 wrote to memory of 844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1904 wrote to memory of 844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1904 wrote to memory of 844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1904 wrote to memory of 844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 844 wrote to memory of 320 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 320 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 320 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 1148 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 844 wrote to memory of 1148 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 844 wrote to memory of 1148 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1148 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1148 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1148 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1148 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1148 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 844 wrote to memory of 2080 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 844 wrote to memory of 2080 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 844 wrote to memory of 2080 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 844 wrote to memory of 2080 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 844 wrote to memory of 664 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe
PID 664 wrote to memory of 912 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "0000000000000560"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 5CD72771D08C49E17DB647A717853C03 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y

C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe

"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 145 -file file3 -mode mode3

C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe

"C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe"

C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#

C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241118_34249\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_F770AF9 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f770906\ -msgsmname=Global\_wpssetup_message_sm_390

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/844-12-0x0000000000400000-0x0000000000410000-memory.dmp

memory/320-17-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/320-18-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp

MD5 a9d9fcb39f3a86aa6017d7a4ea0fea78
SHA1 c522e597688441cfb094111de26c63a8b4a865ee
SHA256 ba25ac5ca218c633979a2882cde1f2938a1b091ecbd03b69e276d8709b8de39e
SHA512 30a5ce6a5ade96bd1b224166c4604ab033db76fd42655a537858e9a4820fca02441589b01f017329e0e99b5d1a60b71bf1903481ff9bf20713d8ce3a6c31cf4e

C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY

MD5 0ee4778f434c07656a60bef038e2e418
SHA1 fe37df7dcdcd815748ca391f4793a690d1fe06c5
SHA256 d5acaa34a51eeabe5bca2c26e80d73f82c9be63cfbbe12d3f87f13b63e84c1f4
SHA512 d58513fb24938fadb9429c56afc770a04b0a3f8d757e82deaffdb8b5ec7b56bb0d6aa3fdd99a7def37aea3e9ee806c7bdc73e2b46384cd7325b23518fa4b9617

C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe

MD5 0e76fd2dd06b069ed52c2f632ea0a532
SHA1 1f7abe1527bd0670346354a71c0d3e25a0c45d09
SHA256 262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9
SHA512 db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa

C:\Config.Msi\f76e0c0.rbs

MD5 47cee7fd484e881a54d99fceaad3deb6
SHA1 130366e0e19d72dfa3f44d6c77ad90ad9d27a237
SHA256 d913ce6f431a292c6c3e7e76b9fa9877c3e13734ed93639d2bf297c5946a55cc
SHA512 5620b5a633a0f03da16add6453fcb65983ce1c6eded1f56fa268a6c71bd8a9b14407c93d3f6890285f7a94f9cb8541af988f5fba8350c8b42150c32e2cdd9d66

\Users\Admin\AppData\Local\Temp\nso3C9.tmp\v6svc_oem.dll

MD5 500318167948bdd3ad42a40721e1a72b
SHA1 24134691693e6d78d6eb0a0c64833c12a0090968
SHA256 d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA512 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

\Users\Admin\AppData\Local\Temp\nso3C9.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

\Users\Admin\AppData\Local\Temp\nso3C9.tmp\AccessControl.dll

MD5 28c87a09fdb49060aa4ab558a2832109
SHA1 9213a24964cd479eac91d01ad54190f9c11d0c75
SHA256 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

memory/2080-82-0x000000002B390000-0x000000002B3BF000-memory.dmp

C:\ProgramData\kingsoft\20241118_34249\oem.ini

MD5 920068869d99afbee8244a2be1e667dd
SHA1 4fb5d143480d258cb4afa9d009b303a08fc9122b
SHA256 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f
SHA512 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 d42f070cb711315339473850734ef396
SHA1 0e5aeae45fb0b1fe65a40b4cbf20d96b6020989e
SHA256 55ab7be520b5a8af4777dd27538d03a4d4ecbf8a139e1ebf52f88a4e69944309
SHA512 340533e918d5fcc665ad7bc83a8eee1a7fa404412764a4f8799af80ea983d853e9091fdb991cd32fc7c75d7e6c5dc91c92bfd7024d2c8bcd70ac299174b5aa7e

memory/912-187-0x0000000000320000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 95ea565cc83bd0a40552a99d2e1fc9af
SHA1 d4ca38616bd706fe5d3bdc2bf440a0d368e66705
SHA256 3477ba59cfac8ca3f3e7a258c05718849848efb25921ec7dcbcd8daa889318df
SHA512 fdc9e5f242298b98a6c2da5921f3ab272a4c1bf411a1af74ef47cc668251d7f0957d6e23324cb4632163421028f84e05f4f8a16f8f3152ad1a8341525f3882de

C:\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\product.dat

MD5 bb7426885c5f57b6b9405fdc7a94cc65
SHA1 0a58a34a41cbea358fd57d278e9b15e669cc28e6
SHA256 f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118
SHA512 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 c05d681b6615a2066e924b95c18bf4dd
SHA1 af5084a6da3615f78afcb0b61ced1053ef62d129
SHA256 4f3d2d0e65742483784842701e2260da2425f02ee910c045579b961438a06ff7
SHA512 4cfe9e44bb10b6e689d852d34831fe5acf4e9a17ae24ae584cd1bc7074f7eae7c7bcfa5f937f10e68103b094cfcaaf4c5c398686363f49ded7a70fd496b916b6

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\Qt5GuiKso.dll

MD5 c79bc97c4dc3a9f6beff0d18a0916b15
SHA1 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a
SHA256 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea
SHA512 df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 4df516604e20d8defb35aaf0fb16a2b5
SHA1 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098
SHA256 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628
SHA512 cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\kpacketui.dll

MD5 283a731e55f15516cbefe175ced45d26
SHA1 59eb1520c7b7f1ca8faa494426d6c9a64c15e145
SHA256 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe
SHA512 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

MD5 b181124928d8eb7b6caa0c2c759155cb
SHA1 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA256 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA512 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

MD5 86421619dad87870e5f3cc0beb1f7963
SHA1 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA256 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512 dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

MD5 cd3cec3d65ae62fdf044f720245f29c0
SHA1 c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512 aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

MD5 b5c8334a10b191031769d5de01df9459
SHA1 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA256 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA512 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

MD5 21519f4d5f1fea53532a0b152910ef8b
SHA1 7833ac2c20263c8be42f67151f9234eb8e4a5515
SHA256 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA512 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\msvcp140.dll

MD5 db1e9807b717b91ac6df6262141bd99f
SHA1 f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA256 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512 f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\Qt5CoreKso.dll

MD5 e847288468d4daadcb8f5a8bb152e923
SHA1 574f7b2d1def9d79c4257c4268246fb399041bf6
SHA256 dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5
SHA512 b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\vcruntime140.dll

MD5 8fdb26199d64ae926509f5606460f573
SHA1 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256 f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512 f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

MD5 3dfb82541979a23a9deb5fd4dcfb6b22
SHA1 5da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA256 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512 f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

MD5 461d5af3277efb5f000b9df826581b80
SHA1 935b00c88c2065f98746e2b4353d4369216f1812
SHA256 f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

MD5 0979785e3ef8137cdd47c797adcb96e3
SHA1 4051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256 d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512 e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\Qt5WidgetsKso.dll

MD5 e680d10a2632b3bcc9e87790b11c9fc5
SHA1 c97b51036952a79e7173e672f59492487902952a
SHA256 ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329
SHA512 cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

MD5 d0b6a2caec62f5477e4e36b991563041
SHA1 8396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256 fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA512 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA1 5516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512 a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

MD5 50b721a0c945abe3edca6bcee2a70c6c
SHA1 f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256 db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512 ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

MD5 88f89d0f2bd5748ed1af75889e715e6a
SHA1 8ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA256 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA512 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5765103e1f5412c43295bd752ccaea03
SHA1 6913bf1624599e55680a0292e22c89cab559db81
SHA256 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA512 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

MD5 f364190706414020c02cf4d531e0229d
SHA1 5899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256 a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512 a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

MD5 a6a9dfb31be2510f6dbfedd476c6d15a
SHA1 cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512 b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

MD5 4f06da894ea013a5e18b8b84a9836d5a
SHA1 40cf36e07b738aa8bba58bc5587643326ff412a9
SHA256 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA512 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 b6a37f22541908b36755c1b2907f4972
SHA1 1327b11691fe35918cedfaf35b7c3f2c040f07d0
SHA256 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977
SHA512 bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 ce3eb6e3e6d950fb03ed3753baafd6d1
SHA1 cadd8a045a037a9ce10372b0d1a6907f7c9b93d1
SHA256 d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c
SHA512 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\Qt5SvgKso.dll

MD5 d7207f0e20b9ec71399fb9914ffb8278
SHA1 e862601902fb95f2cd2b79370dc0547cf382ccd5
SHA256 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0
SHA512 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 b2555aac6faa3c776c7963538e3d642c
SHA1 01d7a80ce29872195770b6a76854d4e0e5576325
SHA256 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f
SHA512 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

\Users\Admin\AppData\Local\Temp\wps\~f770906\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 90b1c6c13aa734636f94ac73d295c87a
SHA1 d5a9ab0696de39719bdb9bb71eb35353a8552525
SHA256 d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406
SHA512 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 03:41

Reported

2024-11-18 03:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

167s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e583b10.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{24338565-DCE3-412B-878C-34B5AB7EF4CD} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4486.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583b12.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583b10.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-18 03:43:21" C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0 C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1" C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\PackageCode = "17A50817543FBC240997BC3912996FE2" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\ProductName = "EnsureOptimizedConsultant" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Version = "67108871" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\PackageName = "WPS_Setup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A
N/A N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: 35 N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: 35 N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2544 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2488 wrote to memory of 2544 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2488 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2488 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4496 wrote to memory of 1020 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 1020 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 1168 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4496 wrote to memory of 1168 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1168 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1168 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1168 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1168 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1168 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 1168 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
PID 4496 wrote to memory of 2652 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4496 wrote to memory of 2652 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4496 wrote to memory of 2652 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4496 wrote to memory of 764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 4496 wrote to memory of 764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 4496 wrote to memory of 764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
PID 764 wrote to memory of 1020 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe
PID 764 wrote to memory of 1020 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe
PID 764 wrote to memory of 1020 N/A C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe
PID 2888 wrote to memory of 4192 N/A C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 2888 wrote to memory of 4192 N/A C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 2888 wrote to memory of 4192 N/A C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4192 wrote to memory of 1108 N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4192 wrote to memory of 1108 N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
PID 4192 wrote to memory of 1108 N/A C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding EDEAB951D6A684253BB39D78C140359D E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y

C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe

"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 145 -file file3 -mode mode3

C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe

"C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install

C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#

C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe

"C:\ProgramData\kingsoft\20241118_34317\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E587BE2 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e587980\ -msgsmname=Global\_wpssetup_message_sm_3FC

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"

C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe

"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 240 -file file3 -mode mode3

C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe

"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
HK 103.94.77.45:10200 tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 qweaq.cyou udp
US 148.178.21.107:29390 qweaq.cyou tcp
HK 103.94.77.53:10200 tcp
HK 103.94.77.45:10200 tcp
HK 103.94.77.53:10200 tcp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29390 qweaq.shop tcp
HK 103.94.77.45:10200 tcp
HK 103.94.77.53:10200 tcp
HK 103.94.77.45:10200 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
HK 103.94.77.53:10200 tcp
US 148.178.21.107:29390 qweaq.shop tcp
HK 103.94.77.45:10200 tcp
HK 103.94.77.53:10200 tcp
HK 103.94.77.45:10200 tcp
US 148.178.21.107:29390 qweaq.shop tcp
HK 103.94.77.53:10200 tcp
HK 103.94.77.45:10200 tcp
HK 103.94.77.53:10200 tcp
HK 103.94.77.45:10200 tcp
US 148.178.21.107:29390 qweaq.shop tcp
HK 103.94.77.53:10200 tcp

Files

\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{991ebd8d-78bc-4059-9137-2a7005a3d8d9}_OnDiskSnapshotProp

MD5 e87a13b1bb483112fb685f3c54da7c3d
SHA1 f3c4f9f1e55061e70ae228744befbe10d54662d7
SHA256 5d9a05ff0c5fcfd7262fe406e48c755b4f62d96f3203272725a7697fe5218b6b
SHA512 c760f406c376b5aea2f56be102ec990c8876e10fa3eaa8b9a80ccfd6b9351aecf84cb66fa80d771d8edcd38e2bf8ba97003b1e52090d059e17bdaecbb013589a

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 cf40ced3ccd723272ba998c27a20ab25
SHA1 46d99e40c8982b4ab0d7bec584307310dcc9ce66
SHA256 e9f20429b7f2df37f51a73149a131f3f1d20bc7775a0bb15c22bda1a2bb45f47
SHA512 5f2bc197d45a9244411b997e76266e4fad99e8dbbc91c726e865945c035d2273a19b577273ef39389788d1ee08beafcb1b664713c9313c5961d42d9c82496eab

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_coi4rybz.zt5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1020-24-0x00000220677B0000-0x00000220677D2000-memory.dmp

C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp

MD5 a9d9fcb39f3a86aa6017d7a4ea0fea78
SHA1 c522e597688441cfb094111de26c63a8b4a865ee
SHA256 ba25ac5ca218c633979a2882cde1f2938a1b091ecbd03b69e276d8709b8de39e
SHA512 30a5ce6a5ade96bd1b224166c4604ab033db76fd42655a537858e9a4820fca02441589b01f017329e0e99b5d1a60b71bf1903481ff9bf20713d8ce3a6c31cf4e

C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY

MD5 0ee4778f434c07656a60bef038e2e418
SHA1 fe37df7dcdcd815748ca391f4793a690d1fe06c5
SHA256 d5acaa34a51eeabe5bca2c26e80d73f82c9be63cfbbe12d3f87f13b63e84c1f4
SHA512 d58513fb24938fadb9429c56afc770a04b0a3f8d757e82deaffdb8b5ec7b56bb0d6aa3fdd99a7def37aea3e9ee806c7bdc73e2b46384cd7325b23518fa4b9617

C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe

MD5 0e76fd2dd06b069ed52c2f632ea0a532
SHA1 1f7abe1527bd0670346354a71c0d3e25a0c45d09
SHA256 262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9
SHA512 db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa

memory/2652-56-0x0000000029E40000-0x0000000029E6F000-memory.dmp

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs

MD5 52009f48e9e0b20f57bad46cbcb394cf
SHA1 add56fb60a485bd2e8e51e92dad44c06f6404858
SHA256 8640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9
SHA512 2c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4

C:\Config.Msi\e583b11.rbs

MD5 0ffc26a07b06a16bb17aaa15f20bb84f
SHA1 3ad4dc813abbb583f87c22ebb3505915044a5d3f
SHA256 7c67c9eae00bda2bccb3d560e72f208b0f6b96717b1dbdc7828621abfb828b68
SHA512 7c340163230641b03669b9a110ce276d7797faf34f70c6fde1c18b2866831af8d11f9b3f06452a2142cb23e7f3ca796d4888df85a8bae008ce944bd4e6d960b3

memory/3784-74-0x0000000000F10000-0x0000000000FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsr6FEC.tmp\v6svc_oem.dll

MD5 500318167948bdd3ad42a40721e1a72b
SHA1 24134691693e6d78d6eb0a0c64833c12a0090968
SHA256 d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA512 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

C:\Users\Admin\AppData\Local\Temp\nsr6FEC.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsr6FEC.tmp\AccessControl.dll

MD5 28c87a09fdb49060aa4ab558a2832109
SHA1 9213a24964cd479eac91d01ad54190f9c11d0c75
SHA256 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml

MD5 c2189f6129d04a0275ed701467e9fbb9
SHA1 9a9aacef971c83513ade58d3a5db57a1025f70fa
SHA256 8ab41dfc1b0feb2211b16637a1abdb9dc34bce0dc0e6c6aa99aefc5ebf8db30f
SHA512 5d2581e37fb3c35bf8b7217ee46cb949620c9a077606b2cd1536fcf47be9680966c3268ceeefe8668e727a8d269027fe2b02f12a402ac17fa63bb7df6a290cd0

C:\ProgramData\kingsoft\20241118_34317\oem.ini

MD5 920068869d99afbee8244a2be1e667dd
SHA1 4fb5d143480d258cb4afa9d009b303a08fc9122b
SHA256 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f
SHA512 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 9b690dc14161b1e7e18fa1ad6ffddad0
SHA1 0daa6f521ac2e735d5d7fbd28fac6cb55c2e9b06
SHA256 25fd2baeef4d04758310a453442cee0787a91e8a7f1edb5d067fab6daaefc6d4
SHA512 669720ac0074f38da998832a864c34593c70da3614922657450db806bf931c94ecdb8e17568595a2434b9c781cc6c92c9d68f622c926adc03eb6ee33485c6828

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 954700b1ea4e2ee340ab4176efa57ac7
SHA1 82b7400b92d018f1ecafa97ab3d1d9e41472194b
SHA256 0156476a5d87507b065744bc7b111cb719447e39ee6923340fb3d208bd64b597
SHA512 cb525a17b0d73120e4290f4b3baeb3b2d72247eed5b89846d21c9db03567dc7db5c3c8ab66baed75292cfae834e8cb7211c0e9341509e22b001f5d29a7d1fd6a

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\product.dat

MD5 bb7426885c5f57b6b9405fdc7a94cc65
SHA1 0a58a34a41cbea358fd57d278e9b15e669cc28e6
SHA256 f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118
SHA512 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 6a5eea749583001de63b993fc66496ba
SHA1 fd41691ec4751e85be89917d46454f8533800b4e
SHA256 bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA512 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

C:\Users\Admin\AppData\Local\tempinstall.ini

MD5 5e1b68b67986b1588301c0135f19fc7c
SHA1 957ea47285f7d903cce7530ee34852435de5b5b4
SHA256 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

MD5 dfbd69ec128e947a225901f761c49f0c
SHA1 650cfac65ba2a607fff067b12c2cdd46f59df0a5
SHA256 7f1d3f70392ef1d4eef9a92ffa19f2bbe4475715d11769e5e074ead2f99b5faa
SHA512 5c9fd506c968f9c839cc4ff1b1c589c7a958786c12e46cfdf8346192f6f6506269e53ec2dd57ee903253f8ffdd2c7d75a847ccec9093496fd1826b4ef764b8a3

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\kpacketui.dll

MD5 283a731e55f15516cbefe175ced45d26
SHA1 59eb1520c7b7f1ca8faa494426d6c9a64c15e145
SHA256 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe
SHA512 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\vcruntime140.dll

MD5 8fdb26199d64ae926509f5606460f573
SHA1 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256 f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512 f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\msvcp140.dll

MD5 db1e9807b717b91ac6df6262141bd99f
SHA1 f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA256 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512 f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\Qt5CoreKso.dll

MD5 e847288468d4daadcb8f5a8bb152e923
SHA1 574f7b2d1def9d79c4257c4268246fb399041bf6
SHA256 dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5
SHA512 b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\Qt5GuiKso.dll

MD5 c79bc97c4dc3a9f6beff0d18a0916b15
SHA1 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a
SHA256 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea
SHA512 df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\Qt5WinExtrasKso.dll

MD5 4df516604e20d8defb35aaf0fb16a2b5
SHA1 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098
SHA256 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628
SHA512 cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\Qt5WidgetsKso.dll

MD5 e680d10a2632b3bcc9e87790b11c9fc5
SHA1 c97b51036952a79e7173e672f59492487902952a
SHA256 ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329
SHA512 cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

MD5 ce3eb6e3e6d950fb03ed3753baafd6d1
SHA1 cadd8a045a037a9ce10372b0d1a6907f7c9b93d1
SHA256 d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c
SHA512 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\qt\plugins\platforms\qwindows.dll

MD5 b6a37f22541908b36755c1b2907f4972
SHA1 1327b11691fe35918cedfaf35b7c3f2c040f07d0
SHA256 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977
SHA512 bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\Qt5SvgKso.dll

MD5 d7207f0e20b9ec71399fb9914ffb8278
SHA1 e862601902fb95f2cd2b79370dc0547cf382ccd5
SHA256 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0
SHA512 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

MD5 90b1c6c13aa734636f94ac73d295c87a
SHA1 d5a9ab0696de39719bdb9bb71eb35353a8552525
SHA256 d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406
SHA512 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

C:\Users\Admin\AppData\Local\Temp\wps\~e587980\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

MD5 b2555aac6faa3c776c7963538e3d642c
SHA1 01d7a80ce29872195770b6a76854d4e0e5576325
SHA256 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f
SHA512 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

MD5 cf81ff1ceaf45cad90f2fa9811570130
SHA1 325236e7639461ffbf131104b3feafc45bbfa253
SHA256 acdad7eed60e73746a41afde91df9b7d9f0d20f29639358901b5dd22d1b36d13
SHA512 a7721916dd391a5e9ff371d714bd81f36528d3c725e98aeadd74d122061a1b5c18aed862ee6def1b82c159dc8037df436c096d59af567545fcb70ad91582ac09

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

MD5 407bd01e1f28dc2c062eff95a70207ff
SHA1 755569a46af052e2dc69ab97e71112081161b053
SHA256 dd329ce604369045d8876b6912795ad295ca3dc1c2e93f16c5e18da28b448375
SHA512 a966e23294680bb118d0c5022c41002e92711dc8e63d4cde8669dab56e7d87538c1b0a761a694cc015d0143847bd334526cbc0be1f7f7a17b9994b7b25a0ff9c

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

MD5 12f410bbd1cc6e3aeb1919d065d9cf55
SHA1 eb18d08260cf0c0d3ef7772a872e722956ef5510
SHA256 8f8c3e4738a27635ce88444ae17a62ca22b6c03bb4679067ca429d863b47a666
SHA512 5e52d80338006c8c9a6ac50846f1f8b09345f3f7fa2b2a66a875d034551ac3e9d675ba0e13155d2faff4a2dff63a5a7b35e77669f751fe618dd60270d5a570aa

memory/1108-415-0x000000002A5D0000-0x000000002A61D000-memory.dmp

memory/1108-416-0x000000002C1E0000-0x000000002C39D000-memory.dmp