Analysis Overview
SHA256
84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957
Threat Level: Known bad
The file WPS_Setup.msi.vir was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Gh0strat family
Gh0strat
Purplefox family
Gh0st RAT payload
PurpleFox
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Executes dropped EXE
Drops file in Windows directory
Loads dropped DLL
Drops file in Program Files directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Installer Packages
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Uses Volume Shadow Copy service COM API
Suspicious behavior: CmdExeWriteProcessMemorySpam
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 03:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 03:39
Reported
2024-11-19 03:44
Platform
win7-20241023-en
Max time kernel
120s
Max time network
136s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\system32\MsiExec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f771f82.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f771f82.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f771f83.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI23A7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f771f85.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f771f83.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0 | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstall = "1" | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 508b3ff8343adb01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-19 03:42:02" | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\ProductName = "EnsureOptimizedConsultant" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\PackageName = "WPS_Setup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\PackageCode = "17A50817543FBC240997BC3912996FE2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Version = "67108871" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003F0" "000000000000023C"
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding C1A7CF0327C2292751D0495381E118D9 M Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 145 -file file3 -mode mode3
C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
"C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe"
C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241119_34159\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_F775199 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f774f39\ -msgsmname=Global\_wpssetup_message_sm_644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | im.qq.com | udp |
Files
memory/1344-12-0x0000000000480000-0x0000000000490000-memory.dmp
memory/1748-17-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/1748-18-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp
| MD5 | a9d9fcb39f3a86aa6017d7a4ea0fea78 |
| SHA1 | c522e597688441cfb094111de26c63a8b4a865ee |
| SHA256 | ba25ac5ca218c633979a2882cde1f2938a1b091ecbd03b69e276d8709b8de39e |
| SHA512 | 30a5ce6a5ade96bd1b224166c4604ab033db76fd42655a537858e9a4820fca02441589b01f017329e0e99b5d1a60b71bf1903481ff9bf20713d8ce3a6c31cf4e |
C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY
| MD5 | 0ee4778f434c07656a60bef038e2e418 |
| SHA1 | fe37df7dcdcd815748ca391f4793a690d1fe06c5 |
| SHA256 | d5acaa34a51eeabe5bca2c26e80d73f82c9be63cfbbe12d3f87f13b63e84c1f4 |
| SHA512 | d58513fb24938fadb9429c56afc770a04b0a3f8d757e82deaffdb8b5ec7b56bb0d6aa3fdd99a7def37aea3e9ee806c7bdc73e2b46384cd7325b23518fa4b9617 |
C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe
| MD5 | 0e76fd2dd06b069ed52c2f632ea0a532 |
| SHA1 | 1f7abe1527bd0670346354a71c0d3e25a0c45d09 |
| SHA256 | 262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9 |
| SHA512 | db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa |
C:\Config.Msi\f771f84.rbs
| MD5 | 7d4d125ba7a854072da0960595dfa785 |
| SHA1 | 9742d928c4fb27ee9a76f02302e25ed047883faf |
| SHA256 | 543cec6f3a254aa7840d9774166149246055e4670da9c8cae01a6f3016211234 |
| SHA512 | 922f500d84e05d0f9f7cbf157a61649953202ac3caf1704c0db84fe67d05bffeb2dce8c1c5ebe40c552465ccdfbacb435d6045364c1ef3484bf589e0277de35a |
memory/1732-58-0x000000002B160000-0x000000002B18F000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj48D4.tmp\v6svc_oem.dll
| MD5 | 500318167948bdd3ad42a40721e1a72b |
| SHA1 | 24134691693e6d78d6eb0a0c64833c12a0090968 |
| SHA256 | d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6 |
| SHA512 | 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863 |
\Users\Admin\AppData\Local\Temp\nsj48D4.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
\Users\Admin\AppData\Local\Temp\nsj48D4.tmp\AccessControl.dll
| MD5 | 28c87a09fdb49060aa4ab558a2832109 |
| SHA1 | 9213a24964cd479eac91d01ad54190f9c11d0c75 |
| SHA256 | 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f |
| SHA512 | 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d |
C:\ProgramData\kingsoft\20241119_34159\oem.ini
| MD5 | 920068869d99afbee8244a2be1e667dd |
| SHA1 | 4fb5d143480d258cb4afa9d009b303a08fc9122b |
| SHA256 | 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f |
| SHA512 | 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 3a46df397f7c4da3ef772033edeb56de |
| SHA1 | af93c5e223d499ab8b7186595cabd08eb5e84d59 |
| SHA256 | 077eb3908ffc06a40df77d8b6650744f974c471754fb936a8092b4482de1be85 |
| SHA512 | e86c9c66b8fc232f738d67d2ddde84111aafb1c65aa98951654a99b99ebce549e5cdff521fea79da50a70e3ce75a9233798b0209eb6474ac313a8f8c05ad9247 |
memory/1604-187-0x00000000001E0000-0x00000000001E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | bd3bfcfe9441c0c107d6dad00cbeed4d |
| SHA1 | fe9e18e2b91e49aaa5350313c72d746733609b79 |
| SHA256 | 5a871e4a69b2d19a3a472a4bdc58b561b5528fc30ca5343c75b121a41a803972 |
| SHA512 | 9d0e9467c5076034dd5cef43d84efcafe7905a5bcc4f9a1c4aa75711fc32d61eeab014c6c137f04b7177a02df9d4672283824e47a166d9919650605a3e25927c |
C:\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\product.dat
| MD5 | bb7426885c5f57b6b9405fdc7a94cc65 |
| SHA1 | 0a58a34a41cbea358fd57d278e9b15e669cc28e6 |
| SHA256 | f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118 |
| SHA512 | 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 2a00f272afd1daa4be94a42a0bea09b6 |
| SHA1 | 17e07d4f556d4a8e3be42f58aef8da37bc89e77d |
| SHA256 | df7fa43f54acbaafaef758c6bab0e09676b136fb302b2248445544657b1cf159 |
| SHA512 | 86b6763afe3918e6a755afbbb88a61abad2556903c0d4021da63e5cb90629bb8e545fcf35fb36a4f6de7e5a099f511cd42716efd882634b7f5afe9bce338b31d |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 21519f4d5f1fea53532a0b152910ef8b |
| SHA1 | 7833ac2c20263c8be42f67151f9234eb8e4a5515 |
| SHA256 | 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1 |
| SHA512 | 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
| MD5 | cd3cec3d65ae62fdf044f720245f29c0 |
| SHA1 | c4643779a0f0f377323503f2db8d2e4d74c738ca |
| SHA256 | 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141 |
| SHA512 | aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b5c8334a10b191031769d5de01df9459 |
| SHA1 | 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969 |
| SHA256 | 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d |
| SHA512 | 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 86421619dad87870e5f3cc0beb1f7963 |
| SHA1 | 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2 |
| SHA256 | 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab |
| SHA512 | dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
| MD5 | b181124928d8eb7b6caa0c2c759155cb |
| SHA1 | 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a |
| SHA256 | 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77 |
| SHA512 | 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\kpacketui.dll
| MD5 | 283a731e55f15516cbefe175ced45d26 |
| SHA1 | 59eb1520c7b7f1ca8faa494426d6c9a64c15e145 |
| SHA256 | 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe |
| SHA512 | 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 4df516604e20d8defb35aaf0fb16a2b5 |
| SHA1 | 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098 |
| SHA256 | 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628 |
| SHA512 | cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\Qt5GuiKso.dll
| MD5 | c79bc97c4dc3a9f6beff0d18a0916b15 |
| SHA1 | 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a |
| SHA256 | 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea |
| SHA512 | df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\Qt5CoreKso.dll
| MD5 | e847288468d4daadcb8f5a8bb152e923 |
| SHA1 | 574f7b2d1def9d79c4257c4268246fb399041bf6 |
| SHA256 | dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5 |
| SHA512 | b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5765103e1f5412c43295bd752ccaea03 |
| SHA1 | 6913bf1624599e55680a0292e22c89cab559db81 |
| SHA256 | 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4 |
| SHA512 | 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 3dfb82541979a23a9deb5fd4dcfb6b22 |
| SHA1 | 5da1d02b764917b38fdc34f4b41fb9a599105dd9 |
| SHA256 | 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb |
| SHA512 | f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 461d5af3277efb5f000b9df826581b80 |
| SHA1 | 935b00c88c2065f98746e2b4353d4369216f1812 |
| SHA256 | f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf |
| SHA512 | 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0979785e3ef8137cdd47c797adcb96e3 |
| SHA1 | 4051c6eb37a4c0dba47b58301e63df76bff347dd |
| SHA256 | d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257 |
| SHA512 | e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d0b6a2caec62f5477e4e36b991563041 |
| SHA1 | 8396e1e02dace6ae4dde33b3e432a3581bc38f5d |
| SHA256 | fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf |
| SHA512 | 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a1b6cebd3d7a8b25b9a9cbc18d03a00c |
| SHA1 | 5516de099c49e0e6d1224286c3dc9b4d7985e913 |
| SHA256 | 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362 |
| SHA512 | a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 50b721a0c945abe3edca6bcee2a70c6c |
| SHA1 | f35b3157818d4a5af3486b5e2e70bb510ac05eff |
| SHA256 | db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d |
| SHA512 | ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 88f89d0f2bd5748ed1af75889e715e6a |
| SHA1 | 8ada489b9ff33530a3fb7161cc07b5b11dfb8909 |
| SHA256 | 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc |
| SHA512 | 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f364190706414020c02cf4d531e0229d |
| SHA1 | 5899230b0d7ad96121c3be0df99235ddd8a47dc6 |
| SHA256 | a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2 |
| SHA512 | a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a6a9dfb31be2510f6dbfedd476c6d15a |
| SHA1 | cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7 |
| SHA256 | 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c |
| SHA512 | b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 4f06da894ea013a5e18b8b84a9836d5a |
| SHA1 | 40cf36e07b738aa8bba58bc5587643326ff412a9 |
| SHA256 | 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732 |
| SHA512 | 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | e680d10a2632b3bcc9e87790b11c9fc5 |
| SHA1 | c97b51036952a79e7173e672f59492487902952a |
| SHA256 | ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329 |
| SHA512 | cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | b6a37f22541908b36755c1b2907f4972 |
| SHA1 | 1327b11691fe35918cedfaf35b7c3f2c040f07d0 |
| SHA256 | 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977 |
| SHA512 | bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | ce3eb6e3e6d950fb03ed3753baafd6d1 |
| SHA1 | cadd8a045a037a9ce10372b0d1a6907f7c9b93d1 |
| SHA256 | d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c |
| SHA512 | 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | b2555aac6faa3c776c7963538e3d642c |
| SHA1 | 01d7a80ce29872195770b6a76854d4e0e5576325 |
| SHA256 | 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f |
| SHA512 | 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\Qt5SvgKso.dll
| MD5 | d7207f0e20b9ec71399fb9914ffb8278 |
| SHA1 | e862601902fb95f2cd2b79370dc0547cf382ccd5 |
| SHA256 | 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0 |
| SHA512 | 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8 |
\Users\Admin\AppData\Local\Temp\wps\~f774f39\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 90b1c6c13aa734636f94ac73d295c87a |
| SHA1 | d5a9ab0696de39719bdb9bb71eb35353a8552525 |
| SHA256 | d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406 |
| SHA512 | 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 03:39
Reported
2024-11-19 03:44
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\jwCzMPsbdJgpyNoNqmKFTuHneRpxhY | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{24338565-DCE3-412B-878C-34B5AB7EF4CD} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2824.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582102.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-19 03:42:05" | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1" | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WScript.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0 | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\ProductName = "EnsureOptimizedConsultant" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\PackageName = "WPS_Setup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\PackageCode = "17A50817543FBC240997BC3912996FE2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Version = "67108871" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C13DFF0E8CA66BE4DA7108E8B877C369 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\565833423ECDB21478C8435BBAE74FDC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\565833423ECDB21478C8435BBAE74FDC\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 81E6F73C18EF353E13D5732E40E5C9D1 E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"52054T.7_jh@;P;zk[{L" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
"C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe" x "C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY" -x!1_mAaRrGrorewO.exe -x!sss -x!1_MqjgbIbFsQecJXwdGMcChDsAdZfOMl.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"19938}{;T;s{QH*a~YQt" -y
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 145 -file file3 -mode mode3
C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe
"C:\Program Files\EnsureOptimizedConsultant\WPS_Setup_18608.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install
C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#
C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe
"C:\ProgramData\kingsoft\20241119_34201\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E585CC1 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\ -msgsmname=Global\_wpssetup_message_sm_139C
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 240 -file file3 -mode mode3
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgfdg5631gfd.icu | udp |
| HK | 38.47.221.103:80 | fgfdg5631gfd.icu | tcp |
| HK | 103.94.77.45:10200 | tcp | |
| US | 8.8.8.8:53 | 103.221.47.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qweaq.cyou | udp |
| US | 148.178.21.107:29390 | qweaq.cyou | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| HK | 103.94.77.53:10200 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qweaq.shop | udp |
| US | 148.178.21.107:29390 | qweaq.shop | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| HK | 103.94.77.45:10200 | tcp | |
| US | 8.8.8.8:53 | qweaq.cyou | udp |
| US | 148.178.21.107:29390 | qweaq.cyou | tcp |
| US | 8.8.8.8:53 | 45.77.94.103.in-addr.arpa | udp |
| US | 148.178.21.107:29390 | qweaq.cyou | tcp |
| US | 148.178.21.107:29390 | qweaq.cyou | tcp |
Files
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3226c864-8865-4436-ac46-2a46405fd880}_OnDiskSnapshotProp
| MD5 | 3d463c4e75bc18e6fef6346c53bd5690 |
| SHA1 | 2afde20b19c8a07e277f8145de223a729909cec5 |
| SHA256 | 6d02c5b69cb4f6b6f0ab22347baef5dc52ff9c7fec29ced4b6606bbd5fb2f5d0 |
| SHA512 | 85b0b35a5b390565844ad0e9c7caaa5323094b85f9c8ddf383b631ab15f110f73439ca11798e3864ac88b65eda1632af4d91e7d2fd29534f9af2d2da560afbc3 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 56b97b91dd4ddeace44be17178180051 |
| SHA1 | 1f4f1032967e7398bb8bffa882f3f00502a745ee |
| SHA256 | cb17d849b86d7b1e960701700c43cef7750059a88d25570c8b9ed8c78db3e1e7 |
| SHA512 | c73b4c5b615b46eb44fb55eec3c018dbd1ef9eedf6afe9ab99c01153857b53a4940aa73d3cbcc1b30107f19e7545dede2abbf57b428d83cec8a44923a7dba72b |
memory/4656-23-0x000002D3E71D0000-0x000002D3E71F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxlqlm05.npc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Program Files\EnsureOptimizedConsultant\BpNJmqNJxEWPzfVjvwRThUSXmSpGtI.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\EnsureOptimizedConsultant\zWeUWhkooKhmUnJIWTooAiOdyKrhOp
| MD5 | a9d9fcb39f3a86aa6017d7a4ea0fea78 |
| SHA1 | c522e597688441cfb094111de26c63a8b4a865ee |
| SHA256 | ba25ac5ca218c633979a2882cde1f2938a1b091ecbd03b69e276d8709b8de39e |
| SHA512 | 30a5ce6a5ade96bd1b224166c4604ab033db76fd42655a537858e9a4820fca02441589b01f017329e0e99b5d1a60b71bf1903481ff9bf20713d8ce3a6c31cf4e |
C:\Program Files\EnsureOptimizedConsultant\TDhUCYdxbhdDMjGbyfoMBWbhjHHfRY
| MD5 | 0ee4778f434c07656a60bef038e2e418 |
| SHA1 | fe37df7dcdcd815748ca391f4793a690d1fe06c5 |
| SHA256 | d5acaa34a51eeabe5bca2c26e80d73f82c9be63cfbbe12d3f87f13b63e84c1f4 |
| SHA512 | d58513fb24938fadb9429c56afc770a04b0a3f8d757e82deaffdb8b5ec7b56bb0d6aa3fdd99a7def37aea3e9ee806c7bdc73e2b46384cd7325b23518fa4b9617 |
C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe
| MD5 | 0e76fd2dd06b069ed52c2f632ea0a532 |
| SHA1 | 1f7abe1527bd0670346354a71c0d3e25a0c45d09 |
| SHA256 | 262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9 |
| SHA512 | db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa |
memory/1892-56-0x000000002A100000-0x000000002A12F000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs
| MD5 | 52009f48e9e0b20f57bad46cbcb394cf |
| SHA1 | add56fb60a485bd2e8e51e92dad44c06f6404858 |
| SHA256 | 8640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9 |
| SHA512 | 2c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4 |
memory/4720-61-0x0000000000780000-0x0000000000856000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml
| MD5 | c2189f6129d04a0275ed701467e9fbb9 |
| SHA1 | 9a9aacef971c83513ade58d3a5db57a1025f70fa |
| SHA256 | 8ab41dfc1b0feb2211b16637a1abdb9dc34bce0dc0e6c6aa99aefc5ebf8db30f |
| SHA512 | 5d2581e37fb3c35bf8b7217ee46cb949620c9a077606b2cd1536fcf47be9680966c3268ceeefe8668e727a8d269027fe2b02f12a402ac17fa63bb7df6a290cd0 |
C:\Config.Msi\e582101.rbs
| MD5 | d7b7c12c520a36fa214c4ebc9f0f3658 |
| SHA1 | 655dc0961204e88c97fb12fdc2703482a8482feb |
| SHA256 | 9f728e22210e3c4bf99cb909f38bc0571033245bb7fc4e98cbd76a8634b0af8a |
| SHA512 | fd5d71e48d703554b54d9f9d73463b4ef3dc28b8064c1319da76afafcde7272fed9ddf8e4f9a826aa6c059f141d11d05dc549838a684207d53c1afacd5421ee5 |
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\v6svc_oem.dll
| MD5 | 500318167948bdd3ad42a40721e1a72b |
| SHA1 | 24134691693e6d78d6eb0a0c64833c12a0090968 |
| SHA256 | d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6 |
| SHA512 | 0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863 |
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\Users\Admin\AppData\Local\Temp\nsf51B6.tmp\AccessControl.dll
| MD5 | 28c87a09fdb49060aa4ab558a2832109 |
| SHA1 | 9213a24964cd479eac91d01ad54190f9c11d0c75 |
| SHA256 | 933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f |
| SHA512 | 413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d |
C:\ProgramData\kingsoft\20241119_34201\oem.ini
| MD5 | 920068869d99afbee8244a2be1e667dd |
| SHA1 | 4fb5d143480d258cb4afa9d009b303a08fc9122b |
| SHA256 | 53b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f |
| SHA512 | 466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 789f787dd829bfd00c929a4afa6c5209 |
| SHA1 | a06b7f2c8c1f3e4d31369ab149ce30994f796e65 |
| SHA256 | e65fa6b847d07b3f3bd34a90877c1eb8d7c79ba3d49301431c2fdcc724b61860 |
| SHA512 | e1502a4ee6c8144b8c4e10f545ed12ce0a7f78580f9da91d54f659f8b8e8437721b2db52f5c2be43c4d72d2fbff515155a5af52a5cc0422deb5a7bd296929307 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 6f4182ba632eb0c24b19202d18b91df1 |
| SHA1 | 8b6f3f7324f0b714f7a4910996b4c8385c91eb97 |
| SHA256 | 86f40302a911d789ad5731b0efc1f941bb9ae2d4bda9b74961b41325a447f229 |
| SHA512 | 165745087967ec254276088041cac9a575aaffc418c4aad7d0d2d9feaf425d1e7370874404c8e70be9a70f81cf242b509162f8c68a28b5e8a68eadd2f9f6cc5a |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\product.dat
| MD5 | bb7426885c5f57b6b9405fdc7a94cc65 |
| SHA1 | 0a58a34a41cbea358fd57d278e9b15e669cc28e6 |
| SHA256 | f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118 |
| SHA512 | 3e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 6a5eea749583001de63b993fc66496ba |
| SHA1 | fd41691ec4751e85be89917d46454f8533800b4e |
| SHA256 | bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60 |
| SHA512 | 6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | 5e1b68b67986b1588301c0135f19fc7c |
| SHA1 | 957ea47285f7d903cce7530ee34852435de5b5b4 |
| SHA256 | 23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc |
| SHA512 | 268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 71389956ef3ac924806acce229376a5f |
| SHA1 | e18eea7ca506d0c9918f215f53a2eb5ee758d916 |
| SHA256 | 35295da14d36e2d0d54d6910743a81786eb6a8b3e2e29c270be8ebaf607b773f |
| SHA512 | 811aa9ece4a9e73c82f4056efe03b86e12d02d4959c8cdd6ec83d8f408dfaefa06ecc9d813a9fb294aa428e4fbe63a48dad33f219c904fb44a047bd856ce2dc1 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\kpacketui.dll
| MD5 | 283a731e55f15516cbefe175ced45d26 |
| SHA1 | 59eb1520c7b7f1ca8faa494426d6c9a64c15e145 |
| SHA256 | 9fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe |
| SHA512 | 7dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5CoreKso.dll
| MD5 | e847288468d4daadcb8f5a8bb152e923 |
| SHA1 | 574f7b2d1def9d79c4257c4268246fb399041bf6 |
| SHA256 | dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5 |
| SHA512 | b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | e680d10a2632b3bcc9e87790b11c9fc5 |
| SHA1 | c97b51036952a79e7173e672f59492487902952a |
| SHA256 | ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329 |
| SHA512 | cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 4df516604e20d8defb35aaf0fb16a2b5 |
| SHA1 | 6b34b3fcb1da882e6adbd78f1aa38bfc4710a098 |
| SHA256 | 4c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628 |
| SHA512 | cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5GuiKso.dll
| MD5 | c79bc97c4dc3a9f6beff0d18a0916b15 |
| SHA1 | 3cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a |
| SHA256 | 0c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea |
| SHA512 | df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | b6a37f22541908b36755c1b2907f4972 |
| SHA1 | 1327b11691fe35918cedfaf35b7c3f2c040f07d0 |
| SHA256 | 915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977 |
| SHA512 | bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | ce3eb6e3e6d950fb03ed3753baafd6d1 |
| SHA1 | cadd8a045a037a9ce10372b0d1a6907f7c9b93d1 |
| SHA256 | d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c |
| SHA512 | 02b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\Qt5SvgKso.dll
| MD5 | d7207f0e20b9ec71399fb9914ffb8278 |
| SHA1 | e862601902fb95f2cd2b79370dc0547cf382ccd5 |
| SHA256 | 6b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0 |
| SHA512 | 59afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | b2555aac6faa3c776c7963538e3d642c |
| SHA1 | 01d7a80ce29872195770b6a76854d4e0e5576325 |
| SHA256 | 894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f |
| SHA512 | 0571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109 |
C:\Users\Admin\AppData\Local\Temp\wps\~e585a9e\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 90b1c6c13aa734636f94ac73d295c87a |
| SHA1 | d5a9ab0696de39719bdb9bb71eb35353a8552525 |
| SHA256 | d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406 |
| SHA512 | 94a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | cdbc8d421c431158b7a31131f2a73044 |
| SHA1 | d4f82e6afee57dfd35106bb552ed38cb54d96650 |
| SHA256 | 21a2169eda1579dbd68c1127ad0bec67628857bc87f5d16b67fc385f76ae549f |
| SHA512 | facc0b4fa8bfd61ffe5278b7a9931e973d9905d17ced16dbbbc0854f2af1f157de9553994347b9825776204b4737ea7d8168323b58d0aa28c7c45ee06614977a |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 6322e63fbe310f4d2fbebb6b4b4df4f0 |
| SHA1 | d688b538b8d52f2b9285e825ad753f648f496a9a |
| SHA256 | 9e8a5728addb95bc6d959b0d9859510951f6ceafb66056537634c3bf418fa513 |
| SHA512 | 6b010ca1db8ba77c043c3f4256620dde6e11f490bb28976fddf7fbca23bc34d260b37fe11aeddb3352d44257e6b9f86bda902ad472994b6b24a75e3b345060e5 |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 712c16c3a86611371c5b6a7b5aa4eb3b |
| SHA1 | 705f3764d858485acf108c3bc6080b0d9fd3101e |
| SHA256 | d40d1787fd530237a6ac13bbe9b0da0c126f0ccde23c6f4d72411ad00ba9b137 |
| SHA512 | 33e6181a76cc9c67cfd0d4f210a3f541a213ceb6c71d21ef6e302c285fd5c92c0ab1861d933353f06d32d10523ed1ac05c01b8279f9494e235444642484755c6 |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 00cbb69679661f0dcc28871dba15c732 |
| SHA1 | 7d4d0c7724734e471b53bf81db263f2004f373fb |
| SHA256 | a6e0f4f071a317e981ddefb9df868a6099f53b88244aa0180916e4719adc1e71 |
| SHA512 | 7bd898000171d8c73ab1c48084701230d5ffaac14d561b96b5e8750a6730af5328a0e7d6b45ea936b284df8e04f6fcad74bde90270b66eba051980efe829f3c5 |
memory/4436-417-0x000000002A2C0000-0x000000002A30D000-memory.dmp
memory/4436-418-0x000000002BED0000-0x000000002C08D000-memory.dmp
memory/4436-424-0x000000002BED0000-0x000000002C08D000-memory.dmp
memory/4436-425-0x000000002BED0000-0x000000002C08D000-memory.dmp