Malware Analysis Report

2024-12-07 13:53

Sample ID 241119-fkz7ca1enq
Target wpsupdate.msi.vir
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
Tags
bootkit discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

Threat Level: Known bad

The file wpsupdate.msi.vir was found to be: Known bad.

Malicious Activity Summary

bootkit discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0strat

Purplefox family

Gh0st RAT payload

Detect PurpleFox Rootkit

PurpleFox

Gh0strat family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 04:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 04:56

Reported

2024-11-19 04:59

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB25.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76b931.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b931.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b932.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b934.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b932.ipi C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHDt = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-11-19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3_C = "a7a81a4a5babfce68580881b050e0402" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD = "a7a81a4a5babfce68580881b050e0402" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00460041002d00350039002d00460042002d00340046002d00410034002d00360037000000 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3t = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c047dd783f3adb01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 560 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2940 wrote to memory of 560 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2940 wrote to memory of 560 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2940 wrote to memory of 560 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2940 wrote to memory of 560 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 560 wrote to memory of 2792 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 2792 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 2792 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 1016 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 560 wrote to memory of 1016 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 560 wrote to memory of 1016 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1016 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1016 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1016 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1016 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 1016 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 560 wrote to memory of 1220 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 560 wrote to memory of 1220 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 560 wrote to memory of 1220 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 560 wrote to memory of 1220 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 560 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "00000000000005A4"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding A73CA5812756B6C0B64396F1AD59FC9C M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 updatepro.wps.cn udp

Files

memory/560-12-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2792-18-0x00000000002F0000-0x00000000002F8000-memory.dmp

memory/2792-17-0x000000001B650000-0x000000001B932000-memory.dmp

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

MD5 831ff4029b30419da4ac4d32bf8ff05c
SHA1 8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256 ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA512 17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

MD5 d045828473a8165effd59a97232e6107
SHA1 f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA256 9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA512 07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

MD5 fb22fb79f366c65257b7adb24c70d843
SHA1 ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA256 44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512 c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

MD5 57dadd6a929f64c2b1efe2d52c1c4985
SHA1 962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256 996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA512 3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

C:\Config.Msi\f76b933.rbs

MD5 a4a8ce0ddf6ab88bb915a101d04f043e
SHA1 531bf0452cf8c833397af429808f7c03e30ec507
SHA256 cb25460926ba0b6cbc61b505926ec12e9852b92fada8bd37ef854a18be2dcaf8
SHA512 318e4ccb6669ca3a6da25bd199ce909005006ede2f69a581a35b0020421cffb5f130fbcbe0748b2bc9ffe6bb8c3241d8a01793fbcd1f36bd864b4b8acf4adfe8

C:\Windows\Installer\f76b931.msi

MD5 ef294458016f546c5eebd07d2dd98bad
SHA1 66bb14f670055272e12899d401b8668cad15fac9
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA512 97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

memory/1220-61-0x00000000003C0000-0x00000000003EF000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

MD5 c313ef3605773ce19c1d74c4cf92990e
SHA1 75f90116d63472a7173fb2f1e2413d98b2aa09b1
SHA256 d1f1280e89caa8ead1024f56614aad8e4a3dd0f5d697a57a2f660170abac1da7
SHA512 13239ff124d6e39d5195f208197fac1bf929e7abce4b9a401e3f4dab5e3e09250fc8560eb5f835e76354b194d7e5d7e4b24bed424bda0b126cd2b0f36f0d7bfd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 04:56

Reported

2024-11-19 04:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

160s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe N/A
File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIDB4C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d9f7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d9f5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57d9f5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5E7ABEF0-9D09-49C1-952F-E73FA3349D07} C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "f69076662ad68ef948dba3f08594f011" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "f69076662ad68ef948dba3f08594f011" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00440041002d00360037002d00420035002d00360045002d00360043002d00310042000000 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "19" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|e7074c32322ef165a9d6e271ff2be5c7" C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\wpsupdate.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A
N/A N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: 35 N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 3028 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4880 wrote to memory of 3028 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4880 wrote to memory of 2680 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4880 wrote to memory of 2680 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2680 wrote to memory of 4416 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4416 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 3952 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 3952 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 3952 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 3952 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 3952 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 3952 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3952 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3952 wrote to memory of 4444 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 3952 wrote to memory of 4444 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 3952 wrote to memory of 4444 N/A C:\Windows\System32\cmd.exe C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
PID 2680 wrote to memory of 632 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2680 wrote to memory of 632 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2680 wrote to memory of 632 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2680 wrote to memory of 3828 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2680 wrote to memory of 3828 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 2680 wrote to memory of 3828 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
PID 436 wrote to memory of 2724 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 436 wrote to memory of 2724 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 436 wrote to memory of 2724 N/A C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2724 wrote to memory of 3836 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2724 wrote to memory of 3836 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
PID 2724 wrote to memory of 3836 N/A C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 94C8925FDAC075AE237B5605BCE04F8E E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs"

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" install

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" start

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 151 -file file3 -mode mode3

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe

"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
HK 202.95.11.159:10200 tcp
US 8.8.8.8:53 updatepro.wps.cn udp
US 8.8.8.8:53 qweaq.club udp
US 148.178.21.107:29320 qweaq.club tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.159:10200 tcp
HK 202.95.11.163:10200 tcp
HK 202.95.11.159:10200 tcp
US 148.178.21.107:29320 qweaq.shop tcp
HK 202.95.11.163:10200 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1veqiqdc.l1i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4416-22-0x0000017BC0170000-0x0000017BC0192000-memory.dmp

\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{22748646-e610-4438-a06b-3a0bb54c46f1}_OnDiskSnapshotProp

MD5 a4dcdabd7d8131de69eeb205b32f9353
SHA1 e8d856ba1888aeee22845b9d7152a4303628570b
SHA256 ab03315d3086eaf953e5aa73d527b3faa8b92545f38da41e50ccafd14b4e53ff
SHA512 2918c1c7f08106adde47369094c1c37eb9b48bd614b0897166dc752e993eab491d5f1bc2e024ba97493d55a01efa8698f81658886aef9c3c195d33f5d67b41ee

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b3dbb01f64836dd7868f6052e12bc6a6
SHA1 7ecaaa81392adbfb9cd1f885c7d9102879b00e25
SHA256 20f224401f9d8b6778e121a651aea92604df66708dea32e803d6e1558ebdfa23
SHA512 5391f412895ab4497a013670119ce048b29fb269878a3ba9ca25923d95148bad34f375cd423301fd444b632770d4b47f5658c22f498cbad64db42fe9b824666b

C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

MD5 831ff4029b30419da4ac4d32bf8ff05c
SHA1 8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256 ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA512 17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

MD5 d045828473a8165effd59a97232e6107
SHA1 f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA256 9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA512 07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

MD5 fb22fb79f366c65257b7adb24c70d843
SHA1 ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA256 44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512 c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

MD5 57dadd6a929f64c2b1efe2d52c1c4985
SHA1 962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256 996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA512 3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

memory/632-57-0x000000002A460000-0x000000002A48F000-memory.dmp

C:\Config.Msi\e57d9f6.rbs

MD5 5d18475afd5a885c1cdd7fccb3049e32
SHA1 7c060f44c3d984f7d045440fe47724a1cc9d3b14
SHA256 e0b0a867b136f3ee3008f41666e0dadf5a7143acaf455ebaf7f5d4809bb85e85
SHA512 94f62085155cbf4392e48ec7e9a1eb56017d3952ecaf18dfb78f93c8c294ed4dae4771a81bfff8c2449ef4f7b950e54c0adae571d547c223563d8d046febdf59

C:\Windows\Installer\e57d9f5.msi

MD5 ef294458016f546c5eebd07d2dd98bad
SHA1 66bb14f670055272e12899d401b8668cad15fac9
SHA256 c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA512 97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs

MD5 c5053a9c469416b52ac1ef0f3c4b6f3a
SHA1 1b2a53afcb6b22db953ad16116642a5e603d59c6
SHA256 7c54fccfbce7fef4dcd82fedd5811f43b553fca88811ace4e37d0837923830e5
SHA512 b9df8e58a1eabff54635a776a1c80c3c42643e3ad3ca3245eb0428b3e779ab903fcd2260d529c5fa34bb0f6b9dc62002cf1c0ba9e0d439b6905b12c837359ffa

memory/952-78-0x0000000000D50000-0x0000000000E26000-memory.dmp

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml

MD5 423a8dfeda50218b0d1f99440f1f19bb
SHA1 5979983be9657f79aa8523018779fef0ff004282
SHA256 c88617337e75ec9a2a8c9b5a589957f2df36dd28c9d5aeb5c1453e71b6fb3c02
SHA512 19f4764a3d46de34eb707e1f50685282bfd49d766d1cd8482dae6bd09ed382021dd09e5e9f506e4b2c402c89a29c5fad78ff68d29fda8ba33310c81b74467ab9

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 4a3b8c0e53a3ca076d6d3659300c096c
SHA1 a49a2be43a87cde92a60f17dbd29d5d1d5cac353
SHA256 d2964d10f1431ffeb289bce75ca9b5f1ffa1ee58a9ee7f7028cc65413e8878b0
SHA512 8c94c15b557cc0d58d27d74b7e4cd0fba0ce84742f99d4b848be741ab48c82f9c864c47aa0986f31c9c75f4f005e8ff7a3e1963c1c00f217381081177a3b276d

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 6923590bb4fac906ac5a9996ceb9362b
SHA1 2fae07821afeacee9441779591cf51eb0b39dda0
SHA256 b3b4e0f086c456e9156cd796a1b985ac426af7764647b197682b40b362c4bb1d
SHA512 db68e9982acb4e27ef36cd22d76b6aa42bbd100ae4eaed8a23feaf1a58c9f32470e7184cc6ca65a2c1218cfc873b21553403bf093518e5d9d61bff59a3ff704e

C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log

MD5 1618efebb4abada9b83b90496410fb57
SHA1 61fbb12b77328d4cb5e237878caedfa20e936ca3
SHA256 462d8c4f845b5bcc5ea5582e2c21c97199c97429043410db7bcf468a2778aa81
SHA512 73ea0f4540a25d9234a10142c724bf2c9c8134a786a219fb88d9b4bf4403b4d69fdb6ce61104c4296ec507b9ccae79ec0c45fdea3c86bbac6cfe0b45ac15ab5d

memory/3836-109-0x0000000029E10000-0x0000000029E5D000-memory.dmp

memory/3836-110-0x000000002BA30000-0x000000002BBED000-memory.dmp

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

MD5 b94b2c9b82f6d491f905dabd4b1c9069
SHA1 aa3ffb8acc8b306dd4b76a44ce5889350ced0952
SHA256 b91ce4bca71e439c20faba8fb2384efe87a71a8c0ac2a44061888589cbc89a11
SHA512 8a627721f668fba9c3ac276953939877bae40f99838fe993ceb4f6a5a64ed90603a11d119941f71a57e8dbb8d46ef8f7e14c043b72609cc33394cc87abf96d10