f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7

Analysis

max time kernel
124s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Size

5.9MB
MD5

5dfc1d13a567b959767dc96b0b47daa6
SHA1

855d1463bee7b1bc017dccd65ef976478e3ab994
SHA256

f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7
SHA512

cf9ce83e6a52e48a938afee65fe0c81ec9cd43dcbe85aa88b0dd3e427b0defd69af04557a70685ae69621b92cc30826534937cc23dd40d077a2842ac037d4d1e
SSDEEP

98304:6ILNTiGmEf2h6d5LSVE3mWvqdiabu8qohOA8bElxj5b8/vkZ0xTQWjq:ZRlXLS2xicDQOAlx1ovk0RQkq

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe

Executes dropped EXE 54 IoCs

pid	Process
460	Process not Found
2372	alg.exe
2736	aspnet_state.exe
1680	mscorsvw.exe
1044	mscorsvw.exe
2996	mscorsvw.exe
2000	mscorsvw.exe
2808	ehRecvr.exe
1756	ehsched.exe
2160	elevation_service.exe
1860	IEEtwCollector.exe
2348	GROOVE.EXE
1744	maintenanceservice.exe
1364	msdtc.exe
1740	msiexec.exe
2812	OSE.EXE
264	OSPPSVC.EXE
2232	perfhost.exe
844	locator.exe
1116	mscorsvw.exe
2516	snmptrap.exe
112	mscorsvw.exe
360	vds.exe
2100	vssvc.exe
2744	wbengine.exe
2540	mscorsvw.exe
1512	WmiApSrv.exe
2456	wmpnetwk.exe
2332	SearchIndexer.exe
3600	mscorsvw.exe
3720	mscorsvw.exe
3892	mscorsvw.exe
3996	mscorsvw.exe
1500	mscorsvw.exe
2604	mscorsvw.exe
3172	mscorsvw.exe
3312	mscorsvw.exe
3444	mscorsvw.exe
3004	mscorsvw.exe
3756	mscorsvw.exe
3884	mscorsvw.exe
1804	mscorsvw.exe
1492	mscorsvw.exe
3996	mscorsvw.exe
3080	mscorsvw.exe
3284	mscorsvw.exe
1892	mscorsvw.exe
3368	mscorsvw.exe
3540	mscorsvw.exe
2212	mscorsvw.exe
3692	mscorsvw.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
2452	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3148	mscorsvw.exe

Loads dropped DLL 46 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
1740	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	\??\PhysicalDrive0	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
File opened for modification	\??\PhysicalDrive0	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\System32\vds.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\28b1b5435f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0816230ec9fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04cbf46ec9fdb01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\S-1-5-19	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000901c0139ec9fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\S-1-5-20	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1BBA9179-7BD3-40F1-9FDC-652813EF2784}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 12 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\TrustedDevices	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
2488	ehRec.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
2452	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
2452	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
2452	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	2088	EhTray.exe
Token: SeIncBasePriorityPrivilege	2088	EhTray.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeDebugPrivilege	2488	ehRec.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	2088	EhTray.exe
Token: SeIncBasePriorityPrivilege	2088	EhTray.exe
Token: SeBackupPrivilege	2100	vssvc.exe
Token: SeRestorePrivilege	2100	vssvc.exe
Token: SeAuditPrivilege	2100	vssvc.exe
Token: SeBackupPrivilege	2744	wbengine.exe
Token: SeRestorePrivilege	2744	wbengine.exe
Token: SeSecurityPrivilege	2744	wbengine.exe
Token: SeManageVolumePrivilege	2332	SearchIndexer.exe
Token: 33	2332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2332	SearchIndexer.exe
Token: 33	2456	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2456	wmpnetwk.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeDebugPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeDebugPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeDebugPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeDebugPrivilege	3016	f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
Token: SeDebugPrivilege	3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Token: SeRestorePrivilege	3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Token: SeRestorePrivilege	3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Token: SeRestorePrivilege	3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Token: SeRestorePrivilege	3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2088	EhTray.exe
2088	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2088	EhTray.exe
2088	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3456	SearchProtocolHost.exe
3456	SearchProtocolHost.exe
3456	SearchProtocolHost.exe
3456	SearchProtocolHost.exe
3456	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe
3736	2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
3584	SearchProtocolHost.exe
3584	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1116	2996	mscorsvw.exe	49
PID 2996 wrote to memory of 1116	2996	mscorsvw.exe	49
PID 2996 wrote to memory of 1116	2996	mscorsvw.exe	49
PID 2996 wrote to memory of 1116	2996	mscorsvw.exe	49
PID 2996 wrote to memory of 112	2996	mscorsvw.exe	51
PID 2996 wrote to memory of 112	2996	mscorsvw.exe	51
PID 2996 wrote to memory of 112	2996	mscorsvw.exe	51
PID 2996 wrote to memory of 112	2996	mscorsvw.exe	51
PID 2996 wrote to memory of 2540	2996	mscorsvw.exe	55
PID 2996 wrote to memory of 2540	2996	mscorsvw.exe	55
PID 2996 wrote to memory of 2540	2996	mscorsvw.exe	55
PID 2996 wrote to memory of 2540	2996	mscorsvw.exe	55
PID 2332 wrote to memory of 3456	2332	SearchIndexer.exe	59
PID 2332 wrote to memory of 3456	2332	SearchIndexer.exe	59
PID 2332 wrote to memory of 3456	2332	SearchIndexer.exe	59
PID 2332 wrote to memory of 3500	2332	SearchIndexer.exe	60
PID 2332 wrote to memory of 3500	2332	SearchIndexer.exe	60
PID 2332 wrote to memory of 3500	2332	SearchIndexer.exe	60
PID 2996 wrote to memory of 3600	2996	mscorsvw.exe	61
PID 2996 wrote to memory of 3600	2996	mscorsvw.exe	61
PID 2996 wrote to memory of 3600	2996	mscorsvw.exe	61
PID 2996 wrote to memory of 3600	2996	mscorsvw.exe	61
PID 2996 wrote to memory of 3720	2996	mscorsvw.exe	62
PID 2996 wrote to memory of 3720	2996	mscorsvw.exe	62
PID 2996 wrote to memory of 3720	2996	mscorsvw.exe	62
PID 2996 wrote to memory of 3720	2996	mscorsvw.exe	62
PID 2996 wrote to memory of 3892	2996	mscorsvw.exe	63
PID 2996 wrote to memory of 3892	2996	mscorsvw.exe	63
PID 2996 wrote to memory of 3892	2996	mscorsvw.exe	63
PID 2996 wrote to memory of 3892	2996	mscorsvw.exe	63
PID 2996 wrote to memory of 3996	2996	mscorsvw.exe	76
PID 2996 wrote to memory of 3996	2996	mscorsvw.exe	76
PID 2996 wrote to memory of 3996	2996	mscorsvw.exe	76
PID 2996 wrote to memory of 3996	2996	mscorsvw.exe	76
PID 2996 wrote to memory of 1500	2996	mscorsvw.exe	65
PID 2996 wrote to memory of 1500	2996	mscorsvw.exe	65
PID 2996 wrote to memory of 1500	2996	mscorsvw.exe	65
PID 2996 wrote to memory of 1500	2996	mscorsvw.exe	65
PID 2996 wrote to memory of 2604	2996	mscorsvw.exe	66
PID 2996 wrote to memory of 2604	2996	mscorsvw.exe	66
PID 2996 wrote to memory of 2604	2996	mscorsvw.exe	66
PID 2996 wrote to memory of 2604	2996	mscorsvw.exe	66
PID 2996 wrote to memory of 3172	2996	mscorsvw.exe	67
PID 2996 wrote to memory of 3172	2996	mscorsvw.exe	67
PID 2996 wrote to memory of 3172	2996	mscorsvw.exe	67
PID 2996 wrote to memory of 3172	2996	mscorsvw.exe	67
PID 2996 wrote to memory of 3312	2996	mscorsvw.exe	68
PID 2996 wrote to memory of 3312	2996	mscorsvw.exe	68
PID 2996 wrote to memory of 3312	2996	mscorsvw.exe	68
PID 2996 wrote to memory of 3312	2996	mscorsvw.exe	68
PID 2996 wrote to memory of 3444	2996	mscorsvw.exe	69
PID 2996 wrote to memory of 3444	2996	mscorsvw.exe	69
PID 2996 wrote to memory of 3444	2996	mscorsvw.exe	69
PID 2996 wrote to memory of 3444	2996	mscorsvw.exe	69
PID 2332 wrote to memory of 3584	2332	SearchIndexer.exe	70
PID 2332 wrote to memory of 3584	2332	SearchIndexer.exe	70
PID 2332 wrote to memory of 3584	2332	SearchIndexer.exe	70
PID 2996 wrote to memory of 3004	2996	mscorsvw.exe	71
PID 2996 wrote to memory of 3004	2996	mscorsvw.exe	71
PID 2996 wrote to memory of 3004	2996	mscorsvw.exe	71
PID 2996 wrote to memory of 3004	2996	mscorsvw.exe	71
PID 2996 wrote to memory of 3756	2996	mscorsvw.exe	72
PID 2996 wrote to memory of 3756	2996	mscorsvw.exe	72
PID 2996 wrote to memory of 3756	2996	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
"C:\Users\Admin\AppData\Local\Temp\f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
- C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
  "C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3736
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    PID:3096
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -regmtfont
    3⤵
    PID:3872
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -setappcap
    3⤵
    PID:3656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 258 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 23c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 23c -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 250 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 23c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 218 -NGENProcess 1ec -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 25c -NGENProcess 280 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 240 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:4080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 1e8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3692

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2808

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:3500
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2032

C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F78CC06 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2452
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setlng en_US
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getonlineparam 00601.00001130 -forceperusermode
  2⤵
  PID:3852
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getabtest -forceperusermode
  2⤵
  PID:1464
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setservers
  2⤵
  PID:3328
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -register
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins.dll"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
    3⤵
    PID:3784
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:3312
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assoword
  2⤵
  PID:3460
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assoexcel
  2⤵
  PID:2272
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assopowerpnt
  2⤵
  PID:468
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -compatiblemso -source=1
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -checkcompatiblemso
  2⤵
  PID:3936
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -saveas_mso
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -distsrc 00601.00001130
  2⤵
  PID:4048
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -sendinstalldyn 5
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  PID:3292
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -externaltask create -forceperusermode
  2⤵
  PID:3096
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
  2⤵
  PID:3164
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink desktop pdf
  2⤵
  PID:3528
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createCustomDestList
  2⤵
  PID:3908
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kwpsmenushellext64.dll"
  2⤵
  PID:1804
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kwpsmenushellext64.dll"
    3⤵
    PID:4056
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setup_assopdf -source=1
  2⤵
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
77129e14e08f8a499ea73658a6c3a0ad

SHA1
ba956aa8827bc48128298bf2b1e35254c416ae28

SHA256
5b253c3aa17c79eeb1f6e83bf745c7bfa950b96e78288688bd419dda3fd5a4ff

SHA512
033e20dcf9536a069e75b151e4028ea6d96db2906cc9e95893970b2446e4460f004a31264ad2c34e49e863eb38754a8fb54e208dda8925e84bf16e40fdeafe02

Download Submit
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

Filesize
1.4MB

MD5
7262c0063342c4ffd3f7275a77bcf224

SHA1
6d1f5d0f48c29aa3a3530a04558e640141fabc39

SHA256
7a5d79d17c2ea0a004f93eec380fa699cf17ca05a4e30e8a0ba904d426482dd0

SHA512
8db9374f3ec11473463c31b8d7ac06a5783e9e537548438e939ce7c6543b0047ca4604ccffbb68e3f9fa2299f707cf52e9afba6c49521c20dddf5ff7b8801963

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5bc3747db971a21417ffb51a6abedf3c

SHA1
008e959596c76a238762e7f3b4ae8cf4473e877a

SHA256
4a645e816e77d716948f396996214140f443957b0420e28b69ed9174c7e8fcc9

SHA512
2d3a23f3687caf8e95ae84e197ac825900b01fe84bf5ce21567a0fe57d3f0c8476755f646625c5342a975179a55fc49ec9c6d7e5f07b9158410e4198a5587785

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
46e436c555b06b4cd5f78dbc49049155

SHA1
3c604ca7b7f17fe322bc1d9c111daeebb2164bc0

SHA256
bf789cdde86b7ebcdf6a5589cd36de95b8890c5181693d4f8d27c02363e20a26

SHA512
db3483a9ba3ecbdcc7e750a3546e807e9ab6245e94025f2bb52c14aca7443986acad989cafc25730ee77f0425ebed802d87938ceb577b9fdc49752c5273c6384

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
192a00d0225105641d8a29c626fab01e

SHA1
eb5a145db5bd11e4db1c28001d52ea65423ab99f

SHA256
9d9b9134b844e3704e61b50aa62db5806553a0ed949ffda488fa3d5f6f11e715

SHA512
c2d766fba36e58a6fcf3110fd8e6fd0007951c3b1832fa8d4fc6500f1ecfabb96e3688a796348e4539b1ab7560729b1cd57fd55ad12dbeca40cf6e83c6ec1013

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a5e38e1a09569f5992e79fb9ed629b45

SHA1
f5b0ce7f3b9ca17f78df7df15ce26d7201b40dc3

SHA256
21255826626e9887144175475907a703aba5a0b692a2aa86e9032b367623cc5b

SHA512
503668b8f0689b3c658ec19166083488b1c59cc8026299519b30a4e4176b7fbf1d11ee03efaf258d6c70fcd07d10473e8369111d2823479c7c4a0db05e33a361

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
528acebd75c927dbf4a63317cd991e93

SHA1
75f5590036e0dbb94cc04a5248781ffed7a8c482

SHA256
d39a76bcf4c0c47c7180de613e7a0632829ccd49f559139f4eddd0f927135228

SHA512
8026d7f28b2d1412e4f1f00509e1e547f097da9e8e2cef195117ff1ac188f12c57feb215a2958c29bec34935f7789fc4bba2af18ce8a75ccf94e1aeb6abfe93f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
439671d1f572872249f418a88dd36a3c

SHA1
11b4905be9f2e9a6779c1566436079bd0ae07f30

SHA256
ca86f6362b3647843781d906030b30010cf8b727daf0e95c7c8d63d94a818535

SHA512
b9805eb04ca8c562137c465d2d97552809b6dfe4962f0a0d9b2beab88e4126b43e1bf5654308e06cc279871fef190c1fd672a2ad9297eac17ec3d779ccbdbc2c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
5aae2422f4e1e26f31afa4235fa0335e

SHA1
8e3427c16581d50b9185a5cfbf25b04d5deca6e0

SHA256
97595c2ec54d3fdfaed460630a3b40212c51c5b8b0621f2716a1e4165c7b5013

SHA512
d22fa19def1c537b20a4f246d6a6609767eff482eba11793a1525d750f9ecae2dbee8063b3638739ac628f8f87eedb8535a7203368185c9bbaf376f4cebd4477

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
88a46a74d1c54b6e24343952ea84b2e4

SHA1
2c55e886513fba0ee8c00f4e5696037183406841

SHA256
042852572e6481b29bb20aac3f912172bad2df7fb62f9adf18c2bb375397c66b

SHA512
44543b127d27a63e7529fd9a70983ffb492e70857ee6acff30cc4f8489d06c7e502778cd729750198a3c12e0aa4273bb1a377132b86059561a81ed3019170f3e

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
38d7ba1486407c7881d4f5f7559f6bc0

SHA1
bec1abe46eaa69bfb5c9f45cf3666209f486139f

SHA256
de114548ded37cd2ec3f36ca10ca526b6e8ac697256d6de0ccd0386f9056e6e4

SHA512
41503f18588bbb584a9378df5b4c69facc2e7392fb39b371320c7887fba4f3ad72f7a1970bd9ba36057a83fca6cc2a91698ff5001523529417de262049d38e3c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\ksearchpanel\mui\pt_BR\ksearchpanel.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\kstartpage\mui\default\html\run.ini

Filesize
171B

MD5
b30cb271e143eace0f55ea2e562e1e9f

SHA1
9d97dbf24931cfc114384c3f4dbbae21c9e51be5

SHA256
3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

SHA512
dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\default\history.js

Filesize
198KB

MD5
d79cca3c379636510ddd6adc09a31d51

SHA1
6470c9569dcbd7b2ef0c75549799ef3c93fbf523

SHA256
632f2d1136280eaed004b7231ae90ed76bbd06c25f73d900873abc1c6ae71769

SHA512
1f066715066c6125e7556455f67eccdafcfb0a15642c25425c865c6def6ea3dae819018fa8d2abdcf9eca53de94c49f1310bd1c7883247f84a6043df03e1f80d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\cfgs\setup.cfg

Filesize
434B

MD5
6c24204c36a331b30eccb1005e21a045

SHA1
56bb9642a5cf586f9e4152daaaa1275be587015b

SHA256
537cbec4f9ad460713cbe55caaf847ca5c010f84fc43628ddd7bf57a4902a07c

SHA512
664a361febf744963099950cab56f7f7a61308203787c99c924a388aaec64aabd8f6a7c405a2c9c964ad3ac83aa21a531ed351b6fa5d51f1aa72022a6ba1c80a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
8b5a5abb3b262e789c4f8f7d9d25ff8c

SHA1
96b498e8fd235bc36e8e232376c51449b462a060

SHA256
cb0c8a75f596b18d33387d0290de6fc67a48e3688ab66cb159d2490884b1a8bd

SHA512
9c70928ea6e743025f0b4fef9dd63589f29d49bd30bb2099bf065f07bdf98b62ad1af64ca461180b2b726388a4b8f03c0a916364f2a2791f23b3084a8f8247bb

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
50ecc74a3f3f41542d670b58032ec8c2

SHA1
2ca515d18d47be20fbba343df5ac5914d7e301f6

SHA256
616a647335084b9e59ebe56838e54f74b312cde09ff181cd97a93ccba122c2f2

SHA512
f7f131178ccba0c55dc1189b850a46170822f1c4d669e973f54a338f0962ebaf76f58517034bdd25bbc12ad2739a21c4139eae5f6172490d4134a6bba63371ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.1MB

MD5
71b4e7ca85a286039c5ffd8d051d0389

SHA1
8a95e0099b7e0d06d775e6c9cee15ec203dd35a4

SHA256
f164a74d5bbac341f6468002836338a77570830832f16160925bb09b916a4098

SHA512
f056aa1969f18f0438516261addf6250e18cb9955cbffc4d98dc63a61c033a9fe388089d15e735d6eadea6024b7ee9f2e1ba3c93ac251995a9bde56b8f18ed90

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
5c8512fc5fa68f0d9250e885e075fb9c

SHA1
ede941a739e8d939b88ff4d7c51e8dfbf6dc9ab1

SHA256
32d14be19271a5fbd1ad8b9c15ded3a5ea0f83328501dd46bc617a0e0dc53d45

SHA512
bbe3f5065056c32732abb9f477f4f15e748d13f402ac9925e42af139d451074480f1d094fe3a5ef2c11de856fcbc49a35624b1d56458fe5ae6615695f3b82554

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
304808600a9acaeee45b9fad21fdd3ec

SHA1
4280554486ed18c973ce9bd42c465aedb0c1f88f

SHA256
682627fbff84bfb713ddb66c1b7a0f0f8ad5b0c9cb70bb6a15196063a074af25

SHA512
e6ef540032f389feff24bdef1b8798fe43568809346de5058172e95d7d1e8da5410fe6f3a754181a5990303300a7ef77fe6db3e07e4490c6793ae84afb58ca27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
74e38c4452a33394dc8cbd0feaca28a4

SHA1
19fbecf437339c2bb9d3ba85347d65719aad7efa

SHA256
8164c94194e27865e0321b049eb8d7f1110ef6f75205ba0bf93ba6abc2955391

SHA512
0a88b77aec9854285cee96038e18c216f878c04711e5b84e0da23f748dc8c267d99765121f3a7fe16cc865e462958e6e82bf7814cc2f65173a3822b8ad4e5653

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
46258dfdb49b107d36f98848c76c5458

SHA1
2411ffa67f2a0071c50d65eae9647a5e85a3d001

SHA256
7704cf5e018397af594f7e23becc1f6d7d97a7b864396e8b6eeef7598267f34f

SHA512
c8cf3775230d01f54f866baf3b91430af1cf85275499af29b1cc9b200e211831343a6e665dbf6b0fa7172b3dc05d79f049b13001a7bf70da5c8665862a281ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
0f5c8b1c2ddb3ed8269b3af87ce137b1

SHA1
7275ab3dbff0e61f2e5a0d30d7e71c444632d540

SHA256
af6b9c0f7d81d90677b504ee5dd78a8b656d09e566e5264dcb6ea45965ac7aaf

SHA512
1d62ce171bd0f57ef2d5a98939a9697a343b3c4806d6eaa4184021ed852aac0758d2ffaaf5d73777fcb95e18f6dc55b42e7c68111f37f06f6352818b7dccf29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f78c16b\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3HMYX12FA02B7NADRVO6.temp

Filesize
8KB

MD5
1bac23da08564c27c5557001f3cefb8f

SHA1
8b7ec1f3ba528c5376bf0638c451dac19bec1b24

SHA256
0938899e098262eed3b398041c1b345f574e166c4866edf17aff2991f36c79d8

SHA512
f33b32db03085791f5e8dbe190f7756bf4ac9e75121ad349e1ebd11278468692f5d8e706bd68a1b5d803af5b8adab42e606b64aca3ed452ca0f100296e56f23d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

Filesize
108KB

MD5
ae989d65efec0f4e2d2fd97f30c96e3c

SHA1
b58905416fc97b05ba15f067f8df9fd927e30a8b

SHA256
634e4b8cb15d6a13c9c4fe0e61d5c988d6485a630cc886f8a7e81ebe7d4cc00f

SHA512
311caacac35446016b47aac3fbe0111af523c1c5281fe9e4d2ca32876afab02fa4636a3c96944956c9202213d80b44593d43044c7e9d22a44fa2bce4eb225e66

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
224B

MD5
d158f1b6a42ef5bd85c480b3d489ee64

SHA1
b11345314c46975068057797f966c65db1a46981

SHA256
b29256fdf0acea9c99ca78a60df6c9c852d93a756076f5b02b75ddaf77ddd14e

SHA512
13c574c158b693a2da156297258975ecd690c6ca422f609ee3aebf0c8d7f2d67bdd42dcbaec480cc0b1798d38b438659a1e4ddb92e75bc0eac6790f8b81e9b60

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
224B

MD5
6511450608e64672d32713f973d4727a

SHA1
b6a48d71c81bf8103af30ae2f68b8a539764eb49

SHA256
f5f210d6bde6ee0a0f8d76513458d24b2e1587ac3e408b99a084fab6ecabaac0

SHA512
98420209a20904edc3ad5165d88dc2a0e6eca364b0fa6fc0e115e259c85fab6783b1d16ab74ed164c077ee40c83e1456193404f593a40f944be1e8b95b1507f2

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2025_03_28.log

Filesize
5KB

MD5
fa88e0e2f31f94538f01e2b6b4b23960

SHA1
764f5e93909be9e0f74429cb84f1a8217edd2d82

SHA256
cd8777c25f93f90db77c41e9d82aa063b983315a734f10255e087c32a5ae0876

SHA512
528519e9f1dfb46e7dc310ccf3d894a073d3c7aa3d9b81aed5a5256bee20d171e7b6a4f7c4e591ac4a5001ae8cf451cbc2391640fda1a93b5670b969263a1d11

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
e3e9f06284bfa5c4e29ca134bd076067

SHA1
722ad5cbc1bf43c78bdb2fbf3f340e64cd6557f6

SHA256
7c2504c3b9567e172079858c666418b5a8e27fa73d0d3ab08ee02d86eb3532d9

SHA512
4a221d959ede7424d90edf058cf66b3f3377ef047b3875c4b638b2d8efb3da3e189bc6bfde43f496f319dd37d6c1fa3b090c3046dcc48b3ed521d4a5cee6b9e5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b93ebbdb0e0ff6ecd304d0e9ca3f2f11

SHA1
3a9f23c03c25e6399d1472ee93dba01b2246c15e

SHA256
2fe6cbbb591e25ecf477a00d64afa473712bb656d382e2f14b2b6f3b34fc8c64

SHA512
5b211c711486be69a22d4a4335fe2b6b10cfc7d350a33a53c136f4056c9400c8a830b61991dcc032ea70958b5b742754cdc9d3f04e36ae893be1196e939faa3e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f4121ea2bca49df5861dbf839fc94a9f

SHA1
fb053e74df1edd0228467d32e4a3e76f0f46187c

SHA256
52a47263c495298270be6410a1569761fd82cabbb796ed1ebe814b2d9f0abddf

SHA512
7b4f04b2f3c10f87f18a211536ac095ad2cd07b0239a65bcad6334b87e9529f1682fa81e36fa9398780daa21883511cad75e30bf9d1124d0827f202f8cb780a5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e9434933f44f2f852d7c63b9974b8b1b

SHA1
e08228b742e0f6d8db6e2e20a273a038189f273d

SHA256
d2b894fe897e66dc3db9c04aa45b9f9868f9b01c2d17dee06d9ccc4d95bf02b8

SHA512
25205cea25a01d64531c8ef222144366eb1b43003bd2a6a53135253b380fa88c383818007af0c7b958697625426f2f9313e1108b98a887f3073acde1e8bed88b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
30027a05b4c74a03383e2355b75091f4

SHA1
8ddc4c213f66bc51c8f21b404eedd01ae7bb1c30

SHA256
a26ac73211d04d9cc900b628e50bd838691d90d6194540ad5e76d01a0cc79c36

SHA512
58af9a5d79cbade553f5996e2ec07c9b4f6223e4232d381e109c1f50e95a84f24e2b1cb7bf647712395b99dfb5de6c0de20f4e95e0d76cf2c19603c61de522e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bfb884a619b406ee0bf547c2c75a62ec

SHA1
aafe355c003346e62431f754ed37636d388f755d

SHA256
3cd5102c2f30dbfd5c65ea82450570f93105c5607b371d42941092987006cfcc

SHA512
ab2040b34192ee3a9b4765f6d2577519f650a33619d4eebf071472a268f0fbef1fca2b3330097dfa5a4fd3110611a408ad12f10e1d552f2560ba96f766d03d36

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
38319506b121222715b10ca42348741d

SHA1
a4c0c6a5280f6a6e72ac844018d7c39f5642c93a

SHA256
a156496751d31e5614e068dafc8dbc6caa1401a67201f0a45655d1ca1cd91dd4

SHA512
34c5f96a5000d63309bdf07fdda4c262e5eda5462327aed767ce77d18daccda0faf34d0b5465412317c191237f780dc61ab0d8785563b5328f1046b9b17bb768

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2d7b6acb210dd0a647887da03d286481

SHA1
07875d92f68c46d0e3fa8f58e8cf8ad590cbbb07

SHA256
82659a7c0bc5c75ea9eda2cf8305a620ccd2b998078567ab6f543e311eed0b83

SHA512
794e67a891973df5cd9ae3e61b86b638b893dee5715c4503d7574deecf894ffdb8afefc473d2b1e3cc02278325e06b1d146bd6b2281f2de8492ca92ad6be27d1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e7c17d3a2a4d6606fea043c462969ab4

SHA1
ad6c161fc2b3775a0db1be936f3511519ebb2612

SHA256
41dbed1006795386c99fe0bd3de61d4d6ada963f10660c1ebde6e1454903d32c

SHA512
e44c761d878ad3642837d61969afd668b42713883ed03d313af00f611391e8a368b02d1e0087116f49302df21b29a7e3d599fb04d12fadc86733e3a5046f8870

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
283a4b47d62b281861136d30946816b5

SHA1
95514951fe66806c400b7ffc8e13d74efc988441

SHA256
fb8d039585756503ed662750c53fee64c6e69c559d25bffe8386822c58aeabe0

SHA512
bc7f0bef21be51d421c75c5882f1ffa16b07d3b1c333f7330a2b30d91178a7cafe3a3bba6997feb80afdec6c3a7de3def8cb1dd1ba16cee5a14b2444a38b4fd5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
14612f8d4e8d0581fdf4ec04a15e16e4

SHA1
d0e1ccff6d8fb25ac804ce890541852a88efb414

SHA256
33d95be5c127360ade2d348add29c36c26647017c239f24dfd74620b5995e465

SHA512
9c7a4a3e082693dc7de9be46e4d74a69025466b8843b08fb7fdcfa117d76401e3f541ee95dc561c0b13fbca7c52b7931b4d2146e7e8730942db04a05b0e2cf30

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
507a1724c1fae1bebae35b8eafc0ae79

SHA1
dc3bf5c566dedb9e750e273234345e4e4b88f22a

SHA256
0ceac6d5dba7f8ddb14f9788712881d6c23106f2ce0f18abfb5f14cca39f7914

SHA512
c1c0e96ffe3fd444299d0f61bf4069abac90436461c19f71f986e2331067fe4a4db67c03142979a64a982e656ae13e24c0479c2c925915b6142ea0aace2268cc

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
55199c910728a6a286d32c7286f8e927

SHA1
12b14e25dc48c5d57fec6db53fb15fde15064eaf

SHA256
4de6e21434bce56ab426b27695df79eb455456325a2169f3abc69a3630c62eba

SHA512
3f6f25775125adf5b41d9301c0e93fd165a8a46682d398e4b0a49edad280072e70b451f0587118d02834ead77e1dbc024083c06c86651dfb40951284d0fe909e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
b29e6d74bff78cce4afc4d06ead81acb

SHA1
ade01c62cd404776a8974be8959f8f287dd15898

SHA256
3a12bf253d07360016ea825b27d55638053720e58f346725bc5a500891b525e3

SHA512
c00d5a7abd38dafa50e8dcb5ec2dae38e34a8b730511f69bca8864b0c0e59dcb00c16a4ca6da57d0593c5189ae66ba33eebe36065a4e58f9c33aebbbf9de99fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ff32c7aaf87e99a11ab8e45ef4f640b5

SHA1
baa224c6be4218726855f34dc6e930d9e076c06a

SHA256
b151190d470917bcd1341c089a289a18d08deb1ccb161327d75c8e6bdcb5b330

SHA512
b04ed98460f04490234dafe28a740d3b3e91136b87b45c4fdcdccd4740a379c0056c5a9574e7610593e2bf2ca73422a842d0cdc322d1088ccbccf850d31024e5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ea45f74c1d8dde65542900061660d4a6

SHA1
d9eacf7d3ecd3247bbaff3dd53edb4d066f96d1e

SHA256
0624e0369ecc98843355bfc1e3863da1a3e5dda9e4eb689e8935074b36aeff65

SHA512
572dfd51e31a0ab464141fb5347f74f5c367b9f16f27b2423609ed63d0fdd0c5ed4ebbe827f10148f4c14753470ec3abfc7456796ed9dbade7ef9d57d1adfc6c

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
fae907a33c3eecaf175a8a3d8c149bbb

SHA1
6dca98204b2ec9130f86a52342e7732178ac552d

SHA256
147e4755ae03c4dd3bb6f8ac7539bcccf776ff66901ece341d7c39c2b36e8deb

SHA512
564d764b4c42e24c1b9b3b40667278b4400f3b724af7d4d80cea0c981f82bfb701dbbff46034dd35e8e2adbb38a49f77b35008811314cf22704fc28117149cb1

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2a20e4c23b43da34910105f6781e73d6

SHA1
6ae5dedfc631546e73d9b772c85d8fa20c428121

SHA256
ff27ca6aaf547b2fcaeab1ba9cccdfd513d3ae6578e882736c4a42fba6a9a218

SHA512
f2b943ccc4a744b3de62798ee0a370f8aabaff80c556ddf60e340b3c66551c7258329faa86e2f4784bdc9375ac4315f7f00a32fcb6668a620d4107291f52b8e1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c3750b1e180fcb733d42e2d88e3fb4da

SHA1
e39f7732cdf189458c0153f98cb5e17e4ac77aa1

SHA256
23c754c51a1a16cd74262848dd96daa99d6b6535a66b49193f0232f2c642da7c

SHA512
ad2167075fa5a3a1733791f33a86b49b93c070f61eae7944cddc93e4758552a5b2550ae1514ff532975606653e59974e6cf06bc175fe822748fc7f24b86c4e46

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
811771034610e93cbd0ae8ff8e808988

SHA1
ee5583381b86da3d68037adb64320ee9ff016aa1

SHA256
5e239120be9e483649a47201d9137e928af7f1a7c707a284db045b6ff4d28966

SHA512
22caabc26c1756deee60e7a1381bd0f485ccf886e2830ba23627527186e1373a3bd6dbf1250b1d71e1c10187286b7586f88d95f002949a96aa932625a84c22d1

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b726000333f41d04183aba3ae1ccdfdb

SHA1
db45f15de37c9107878dae383ce1ccb4cd03329d

SHA256
9c96dbbddd2dcee38ad27b81d09cc1a4d51e8b90e7d746cdb1260b790fc3bff3

SHA512
0ec40bcb370d7a7b27b25e990cfe25bd2597a1e72c5680158da4f5329d649174e97361f633edab592d8455d6e360b856bcf7b60ab025691a1834cf5a6b164f63

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9a74147fc4b9c5179b76bf60f66b2ad0

SHA1
256f69ade8050c566f4538c59c419b6e545ef093

SHA256
72cbac2cbb7599f1cceb8337d70071b0a846b632813ac6c0bdd5201ceb4061e8

SHA512
b78f79f9fde603eb2ae345492e3b4df19c5b4c6a24f70d2b5ef1c3c5fb263d0507acb03dddba1af937d43e39f14b4f6e0eb4c86833cd8415167290e003052a0e

Download Submit
memory/112-351-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/112-299-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/264-239-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/264-375-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/360-540-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/360-301-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/844-405-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/844-264-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1044-57-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1044-56-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1044-89-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1044-63-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1116-286-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1116-313-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1364-184-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1364-300-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1512-609-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1512-363-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1680-47-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1680-39-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1680-71-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1680-40-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1740-328-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1740-208-0x00000000005F0000-0x00000000007E1000-memory.dmp

Filesize
1.9MB

Download
memory/1740-200-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1740-347-0x00000000005F0000-0x00000000007E1000-memory.dmp

Filesize
1.9MB

Download
memory/1744-196-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1744-324-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1756-824-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1756-124-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1756-249-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1860-159-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1860-848-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1860-285-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2000-95-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2000-221-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2000-102-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2000-96-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2100-325-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2100-561-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2160-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-254-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2232-251-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2232-380-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2332-381-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2332-685-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2348-183-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2348-284-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2372-22-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2372-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-13-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2372-119-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2456-377-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2456-652-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2516-287-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2540-548-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2540-350-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2736-27-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2736-36-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2736-28-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2736-158-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2744-577-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2744-329-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2808-1029-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2808-236-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2808-120-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2808-118-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2808-111-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2812-235-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2812-362-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2996-4965-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/2996-82-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2996-4966-0x0000000001D50000-0x0000000001DD8000-memory.dmp

Filesize
544KB

Download
memory/2996-4967-0x0000000001D50000-0x0000000001D74000-memory.dmp

Filesize
144KB

Download
memory/2996-4968-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/2996-4970-0x0000000001D50000-0x0000000001D7A000-memory.dmp

Filesize
168KB

Download
memory/2996-4971-0x0000000001D50000-0x0000000001DB6000-memory.dmp

Filesize
408KB

Download
memory/2996-4964-0x0000000001D50000-0x0000000001E3C000-memory.dmp

Filesize
944KB

Download
memory/2996-4961-0x0000000001D50000-0x0000000001EEE000-memory.dmp

Filesize
1.6MB

Download
memory/2996-4960-0x0000000001D50000-0x0000000001DF4000-memory.dmp

Filesize
656KB

Download
memory/2996-93-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2996-4946-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/2996-77-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2996-4947-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/2996-4953-0x0000000001D50000-0x0000000001DDC000-memory.dmp

Filesize
560KB

Download
memory/2996-4949-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/3016-90-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3016-8-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/3016-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/3016-7-0x0000000000400000-0x00000000009E6000-memory.dmp

Filesize
5.9MB

Download
memory/3600-560-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3600-543-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3720-592-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3720-562-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3884-729-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/3892-605-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3892-589-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download