gh0strat | 84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WPS_Setup.msi
Size

242.9MB
MD5

3255760e78b6d9dd1ecdd6d4c31b2625
SHA1

fa10fb8c29029fedf846d88ab3aba3870056f287
SHA256

84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957
SHA512

2bb0e5bec54a840620758b530d09c4fade7fe3136938302e0388fb172af703a665425dfd50e94c5591177957c28cd9bc5899f5380e206ab61de1484ff9f3ccdd
SSDEEP

6291456:lLKBfaA+iLH02im/1aOUiWuXsiHDqzGw4VQ:lLWfadiL1B/1/UZucfzT4

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4436-418-0x000000002BED0000-0x000000002C08D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4436-424-0x000000002BED0000-0x000000002C08D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4436-425-0x000000002BED0000-0x000000002C08D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4436-418-0x000000002BED0000-0x000000002C08D000-memory.dmp	family_gh0strat
behavioral2/memory/4436-424-0x000000002BED0000-0x000000002C08D000-memory.dmp	family_gh0strat
behavioral2/memory/4436-425-0x000000002BED0000-0x000000002C08D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	mAaRrGrorewO.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	mAaRrGrorewO.exe
File opened (read-only)	\??\X:	mAaRrGrorewO.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	mAaRrGrorewO.exe
File opened (read-only)	\??\I:	mAaRrGrorewO.exe
File opened (read-only)	\??\T:	mAaRrGrorewO.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	mAaRrGrorewO.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	mAaRrGrorewO.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	mAaRrGrorewO.exe
File opened (read-only)	\??\K:	mAaRrGrorewO.exe
File opened (read-only)	\??\N:	mAaRrGrorewO.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	mAaRrGrorewO.exe
File opened (read-only)	\??\H:	mAaRrGrorewO.exe
File opened (read-only)	\??\S:	mAaRrGrorewO.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	mAaRrGrorewO.exe
File opened (read-only)	\??\O:	mAaRrGrorewO.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	mAaRrGrorewO.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	mAaRrGrorewO.exe
File opened (read-only)	\??\Z:	mAaRrGrorewO.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	mAaRrGrorewO.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log	SvwYSxmZIFRH.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe	MsiExec.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log	SvwYSxmZIFRH.exe
File created	C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File created	C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File created	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log	SvwYSxmZIFRH.exe
File created	C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe	msiexec.exe
File created	C:\Program Files\EnsureOptimizedConsultant\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File created	C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File created	C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe	MsiExec.exe
File created	C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs	mAaRrGrorewO.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log	SvwYSxmZIFRH.exe
File created	C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe	msiexec.exe
File created	C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp	msiexec.exe
File created	C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File created	C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
File opened for modification	C:\Program Files\EnsureOptimizedConsultant	mAaRrGrorewO.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{24338565-DCE3-412B-878C-34B5AB7EF4CD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2824.tmp	msiexec.exe
File created	C:\Windows\Installer\e582102.msi	msiexec.exe
File created	C:\Windows\Installer\e582100.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582100.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
1400	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
3428	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
1892	mAaRrGrorewO.exe
4720	SvwYSxmZIFRH.exe
2672	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
4416	WPS_Setup_18608.exe
232	SvwYSxmZIFRH.exe
4940	SvwYSxmZIFRH.exe
3596	mAaRrGrorewO.exe
4436	mAaRrGrorewO.exe

Loads dropped DLL 19 IoCs

pid	Process
2672	WPS_Setup_18608.exe
2672	WPS_Setup_18608.exe
2672	WPS_Setup_18608.exe
2672	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe
5020	WPS_Setup_18608.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1520	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAaRrGrorewO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAaRrGrorewO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAaRrGrorewO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS_Setup_18608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS_Setup_18608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS_Setup_18608.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1816	cmd.exe
764	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mAaRrGrorewO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mAaRrGrorewO.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common	WPS_Setup_18608.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up"	WPS_Setup_18608.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft	WPS_Setup_18608.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0"	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-19 03:42:05"	WPS_Setup_18608.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1"	WPS_Setup_18608.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0"	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0	WPS_Setup_18608.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\ProductName = "EnsureOptimizedConsultant"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369\565833423ECDB21478C8435BBAE74FDC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\PackageName = "WPS_Setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\PackageCode = "17A50817543FBC240997BC3912996FE2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Version = "67108871"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Clients = 3a0000000000	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5020	WPS_Setup_18608.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	msiexec.exe
4352	msiexec.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe
1892	mAaRrGrorewO.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5020	WPS_Setup_18608.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	4352	msiexec.exe
Token: SeCreateTokenPrivilege	1520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1520	msiexec.exe
Token: SeLockMemoryPrivilege	1520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1520	msiexec.exe
Token: SeMachineAccountPrivilege	1520	msiexec.exe
Token: SeTcbPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeLoadDriverPrivilege	1520	msiexec.exe
Token: SeSystemProfilePrivilege	1520	msiexec.exe
Token: SeSystemtimePrivilege	1520	msiexec.exe
Token: SeProfSingleProcessPrivilege	1520	msiexec.exe
Token: SeIncBasePriorityPrivilege	1520	msiexec.exe
Token: SeCreatePagefilePrivilege	1520	msiexec.exe
Token: SeCreatePermanentPrivilege	1520	msiexec.exe
Token: SeBackupPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeShutdownPrivilege	1520	msiexec.exe
Token: SeDebugPrivilege	1520	msiexec.exe
Token: SeAuditPrivilege	1520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1520	msiexec.exe
Token: SeChangeNotifyPrivilege	1520	msiexec.exe
Token: SeRemoteShutdownPrivilege	1520	msiexec.exe
Token: SeUndockPrivilege	1520	msiexec.exe
Token: SeSyncAgentPrivilege	1520	msiexec.exe
Token: SeEnableDelegationPrivilege	1520	msiexec.exe
Token: SeManageVolumePrivilege	1520	msiexec.exe
Token: SeImpersonatePrivilege	1520	msiexec.exe
Token: SeCreateGlobalPrivilege	1520	msiexec.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: SeBackupPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeBackupPrivilege	1888	srtasks.exe
Token: SeRestorePrivilege	1888	srtasks.exe
Token: SeSecurityPrivilege	1888	srtasks.exe
Token: SeTakeOwnershipPrivilege	1888	srtasks.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeBackupPrivilege	1888	srtasks.exe
Token: SeRestorePrivilege	1888	srtasks.exe
Token: SeSecurityPrivilege	1888	srtasks.exe
Token: SeTakeOwnershipPrivilege	1888	srtasks.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	1400	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: 35	1400	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeSecurityPrivilege	1400	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeSecurityPrivilege	1400	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeRestorePrivilege	3428	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: 35	3428	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeSecurityPrivilege	3428	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeSecurityPrivilege	3428	BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
Token: SeDebugPrivilege	4720	SvwYSxmZIFRH.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1520	msiexec.exe
1520	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	WPS_Setup_18608.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 1888	4352	msiexec.exe	103
PID 4352 wrote to memory of 1888	4352	msiexec.exe	103
PID 4352 wrote to memory of 3104	4352	msiexec.exe	106
PID 4352 wrote to memory of 3104	4352	msiexec.exe	106
PID 3104 wrote to memory of 4656	3104	MsiExec.exe	107
PID 3104 wrote to memory of 4656	3104	MsiExec.exe	107
PID 3104 wrote to memory of 1816	3104	MsiExec.exe	109
PID 3104 wrote to memory of 1816	3104	MsiExec.exe	109
PID 1816 wrote to memory of 1400	1816	cmd.exe	111
PID 1816 wrote to memory of 1400	1816	cmd.exe	111
PID 1816 wrote to memory of 1400	1816	cmd.exe	111
PID 1816 wrote to memory of 764	1816	cmd.exe	112
PID 1816 wrote to memory of 764	1816	cmd.exe	112
PID 1816 wrote to memory of 3428	1816	cmd.exe	114
PID 1816 wrote to memory of 3428	1816	cmd.exe	114
PID 1816 wrote to memory of 3428	1816	cmd.exe	114
PID 3104 wrote to memory of 1892	3104	MsiExec.exe	116
PID 3104 wrote to memory of 1892	3104	MsiExec.exe	116
PID 3104 wrote to memory of 1892	3104	MsiExec.exe	116
PID 3104 wrote to memory of 2672	3104	MsiExec.exe	118
PID 3104 wrote to memory of 2672	3104	MsiExec.exe	118
PID 3104 wrote to memory of 2672	3104	MsiExec.exe	118
PID 2672 wrote to memory of 5020	2672	WPS_Setup_18608.exe	123
PID 2672 wrote to memory of 5020	2672	WPS_Setup_18608.exe	123
PID 2672 wrote to memory of 5020	2672	WPS_Setup_18608.exe	123
PID 4940 wrote to memory of 3596	4940	SvwYSxmZIFRH.exe	130
PID 4940 wrote to memory of 3596	4940	SvwYSxmZIFRH.exe	130
PID 4940 wrote to memory of 3596	4940	SvwYSxmZIFRH.exe	130
PID 3596 wrote to memory of 4436	3596	mAaRrGrorewO.exe	132
PID 3596 wrote to memory of 4436	3596	mAaRrGrorewO.exe	132
PID 3596 wrote to memory of 4436	3596	mAaRrGrorewO.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 81E6F73C18EF353E13D5732E40E5C9D1 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
      "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:764
  - - C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
      "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3428
- - C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
    "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 145 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1892
- - C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
    "C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe
      "C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4812

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E585CC1 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\ -msgsmname=Global\_wpssetup_message_sm_139C
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:232

C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
  "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 240 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
    "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582101.rbs

Filesize
7KB

MD5
d7b7c12c520a36fa214c4ebc9f0f3658

SHA1
655dc0961204e88c97fb12fdc2703482a8482feb

SHA256
9f728e22210e3c4bf99cb909f38bc0571033245bb7fc4e98cbd76a8634b0af8a

SHA512
fd5d71e48d703554b54d9f9d73463b4ef3dc28b8064c1319da76afafcde7272fed9ddf8e4f9a826aa6c059f141d11d05dc549838a684207d53c1afacd5421ee5

Download Submit
C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe

Filesize
2.8MB

MD5
0e76fd2dd06b069ed52c2f632ea0a532

SHA1
1f7abe1527bd0670346354a71c0d3e25a0c45d09

SHA256
262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9

SHA512
db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa

Download Submit
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

Filesize
280B

MD5
cdbc8d421c431158b7a31131f2a73044

SHA1
d4f82e6afee57dfd35106bb552ed38cb54d96650

SHA256
21a2169eda1579dbd68c1127ad0bec67628857bc87f5d16b67fc385f76ae549f

SHA512
facc0b4fa8bfd61ffe5278b7a9931e973d9905d17ced16dbbbc0854f2af1f157de9553994347b9825776204b4737ea7d8168323b58d0aa28c7c45ee06614977a

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

Filesize
443B

MD5
6322e63fbe310f4d2fbebb6b4b4df4f0

SHA1
d688b538b8d52f2b9285e825ad753f648f496a9a

SHA256
9e8a5728addb95bc6d959b0d9859510951f6ceafb66056537634c3bf418fa513

SHA512
6b010ca1db8ba77c043c3f4256620dde6e11f490bb28976fddf7fbca23bc34d260b37fe11aeddb3352d44257e6b9f86bda902ad472994b6b24a75e3b345060e5

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

Filesize
616B

MD5
712c16c3a86611371c5b6a7b5aa4eb3b

SHA1
705f3764d858485acf108c3bc6080b0d9fd3101e

SHA256
d40d1787fd530237a6ac13bbe9b0da0c126f0ccde23c6f4d72411ad00ba9b137

SHA512
33e6181a76cc9c67cfd0d4f210a3f541a213ceb6c71d21ef6e302c285fd5c92c0ab1861d933353f06d32d10523ed1ac05c01b8279f9494e235444642484755c6

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

Filesize
754B

MD5
00cbb69679661f0dcc28871dba15c732

SHA1
7d4d0c7724734e471b53bf81db263f2004f373fb

SHA256
a6e0f4f071a317e981ddefb9df868a6099f53b88244aa0180916e4719adc1e71

SHA512
7bd898000171d8c73ab1c48084701230d5ffaac14d561b96b5e8750a6730af5328a0e7d6b45ea936b284df8e04f6fcad74bde90270b66eba051980efe829f3c5

Download Submit
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml

Filesize
439B

MD5
c2189f6129d04a0275ed701467e9fbb9

SHA1
9a9aacef971c83513ade58d3a5db57a1025f70fa

SHA256
8ab41dfc1b0feb2211b16637a1abdb9dc34bce0dc0e6c6aa99aefc5ebf8db30f

SHA512
5d2581e37fb3c35bf8b7217ee46cb949620c9a077606b2cd1536fcf47be9680966c3268ceeefe8668e727a8d269027fe2b02f12a402ac17fa63bb7df6a290cd0

Download Submit
C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY

Filesize
2.2MB

MD5
0ee4778f434c07656a60bef038e2e418

SHA1
fe37df7dcdcd815748ca391f4793a690d1fe06c5

SHA256
d5acaa34a51eeabe5bca2c26e80d73f82c9be63cfbbe12d3f87f13b63e84c1f4

SHA512
d58513fb24938fadb9429c56afc770a04b0a3f8d757e82deaffdb8b5ec7b56bb0d6aa3fdd99a7def37aea3e9ee806c7bdc73e2b46384cd7325b23518fa4b9617

Download Submit
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs

Filesize
2KB

MD5
52009f48e9e0b20f57bad46cbcb394cf

SHA1
add56fb60a485bd2e8e51e92dad44c06f6404858

SHA256
8640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9

SHA512
2c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4

Download Submit
C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp

Filesize
2.2MB

MD5
a9d9fcb39f3a86aa6017d7a4ea0fea78

SHA1
c522e597688441cfb094111de26c63a8b4a865ee

SHA256
ba25ac5ca218c633979a2882cde1f2938a1b091ecbd03b69e276d8709b8de39e

SHA512
30a5ce6a5ade96bd1b224166c4604ab033db76fd42655a537858e9a4820fca02441589b01f017329e0e99b5d1a60b71bf1903481ff9bf20713d8ce3a6c31cf4e

Download Submit
C:\ProgramData\kingsoft\20241119_34201\oem.ini

Filesize
1KB

MD5
920068869d99afbee8244a2be1e667dd

SHA1
4fb5d143480d258cb4afa9d009b303a08fc9122b

SHA256
53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f

SHA512
466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxlqlm05.npc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\AccessControl.dll

Filesize
13KB

MD5
28c87a09fdb49060aa4ab558a2832109

SHA1
9213a24964cd479eac91d01ad54190f9c11d0c75

SHA256
933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f

SHA512
413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\v6svc_oem.dll

Filesize
192KB

MD5
500318167948bdd3ad42a40721e1a72b

SHA1
24134691693e6d78d6eb0a0c64833c12a0090968

SHA256
d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6

SHA512
0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
e847288468d4daadcb8f5a8bb152e923

SHA1
574f7b2d1def9d79c4257c4268246fb399041bf6

SHA256
dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5

SHA512
b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
c79bc97c4dc3a9f6beff0d18a0916b15

SHA1
3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a

SHA256
0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea

SHA512
df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
d7207f0e20b9ec71399fb9914ffb8278

SHA1
e862601902fb95f2cd2b79370dc0547cf382ccd5

SHA256
6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0

SHA512
59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
e680d10a2632b3bcc9e87790b11c9fc5

SHA1
c97b51036952a79e7173e672f59492487902952a

SHA256
ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329

SHA512
cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
4df516604e20d8defb35aaf0fb16a2b5

SHA1
6b34b3fcb1da882e6adbd78f1aa38bfc4710a098

SHA256
4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628

SHA512
cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\kpacketui.dll

Filesize
1.9MB

MD5
283a731e55f15516cbefe175ced45d26

SHA1
59eb1520c7b7f1ca8faa494426d6c9a64c15e145

SHA256
9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe

SHA512
7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
b2555aac6faa3c776c7963538e3d642c

SHA1
01d7a80ce29872195770b6a76854d4e0e5576325

SHA256
894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f

SHA512
0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
90b1c6c13aa734636f94ac73d295c87a

SHA1
d5a9ab0696de39719bdb9bb71eb35353a8552525

SHA256
d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406

SHA512
94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
b6a37f22541908b36755c1b2907f4972

SHA1
1327b11691fe35918cedfaf35b7c3f2c040f07d0

SHA256
915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977

SHA512
bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
ce3eb6e3e6d950fb03ed3753baafd6d1

SHA1
cadd8a045a037a9ce10372b0d1a6907f7c9b93d1

SHA256
d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c

SHA512
02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\product.dat

Filesize
95KB

MD5
bb7426885c5f57b6b9405fdc7a94cc65

SHA1
0a58a34a41cbea358fd57d278e9b15e669cc28e6

SHA256
f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118

SHA512
3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
382B

MD5
6a5eea749583001de63b993fc66496ba

SHA1
fd41691ec4751e85be89917d46454f8533800b4e

SHA256
bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60

SHA512
6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
428B

MD5
5e1b68b67986b1588301c0135f19fc7c

SHA1
957ea47285f7d903cce7530ee34852435de5b5b4

SHA256
23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc

SHA512
268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
7KB

MD5
789f787dd829bfd00c929a4afa6c5209

SHA1
a06b7f2c8c1f3e4d31369ab149ce30994f796e65

SHA256
e65fa6b847d07b3f3bd34a90877c1eb8d7c79ba3d49301431c2fdcc724b61860

SHA512
e1502a4ee6c8144b8c4e10f545ed12ce0a7f78580f9da91d54f659f8b8e8437721b2db52f5c2be43c4d72d2fbff515155a5af52a5cc0422deb5a7bd296929307

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
8KB

MD5
6f4182ba632eb0c24b19202d18b91df1

SHA1
8b6f3f7324f0b714f7a4910996b4c8385c91eb97

SHA256
86f40302a911d789ad5731b0efc1f941bb9ae2d4bda9b74961b41325a447f229

SHA512
165745087967ec254276088041cac9a575aaffc418c4aad7d0d2d9feaf425d1e7370874404c8e70be9a70f81cf242b509162f8c68a28b5e8a68eadd2f9f6cc5a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
26KB

MD5
71389956ef3ac924806acce229376a5f

SHA1
e18eea7ca506d0c9918f215f53a2eb5ee758d916

SHA256
35295da14d36e2d0d54d6910743a81786eb6a8b3e2e29c270be8ebaf607b773f

SHA512
811aa9ece4a9e73c82f4056efe03b86e12d02d4959c8cdd6ec83d8f408dfaefa06ecc9d813a9fb294aa428e4fbe63a48dad33f219c904fb44a047bd856ce2dc1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
56b97b91dd4ddeace44be17178180051

SHA1
1f4f1032967e7398bb8bffa882f3f00502a745ee

SHA256
cb17d849b86d7b1e960701700c43cef7750059a88d25570c8b9ed8c78db3e1e7

SHA512
c73b4c5b615b46eb44fb55eec3c018dbd1ef9eedf6afe9ab99c01153857b53a4940aa73d3cbcc1b30107f19e7545dede2abbf57b428d83cec8a44923a7dba72b

Download Submit
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3226c864-8865-4436-ac46-2a46405fd880}_OnDiskSnapshotProp

Filesize
6KB

MD5
3d463c4e75bc18e6fef6346c53bd5690

SHA1
2afde20b19c8a07e277f8145de223a729909cec5

SHA256
6d02c5b69cb4f6b6f0ab22347baef5dc52ff9c7fec29ced4b6606bbd5fb2f5d0

SHA512
85b0b35a5b390565844ad0e9c7caaa5323094b85f9c8ddf383b631ab15f110f73439ca11798e3864ac88b65eda1632af4d91e7d2fd29534f9af2d2da560afbc3

Download Submit
memory/1892-56-0x000000002A100000-0x000000002A12F000-memory.dmp

Filesize
188KB

Download
memory/4436-417-0x000000002A2C0000-0x000000002A30D000-memory.dmp

Filesize
308KB

Download
memory/4436-418-0x000000002BED0000-0x000000002C08D000-memory.dmp

Filesize
1.7MB

Download
memory/4436-424-0x000000002BED0000-0x000000002C08D000-memory.dmp

Filesize
1.7MB

Download
memory/4436-425-0x000000002BED0000-0x000000002C08D000-memory.dmp

Filesize
1.7MB

Download
memory/4656-23-0x000002D3E71D0000-0x000002D3E71F2000-memory.dmp

Filesize
136KB

Download
memory/4720-61-0x0000000000780000-0x0000000000856000-memory.dmp

Filesize
856KB

Download