ee6cb9454f2a4430b8e4f82eda094645c56a9fa194d872854cbebe2634a7fd29

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
Size

5.4MB
MD5

8740a387ed73d32e8e736adcde684843
SHA1

66c043c05ea761996c066ac5b847f780c5a9c5de
SHA256

ee6cb9454f2a4430b8e4f82eda094645c56a9fa194d872854cbebe2634a7fd29
SHA512

97a9eb37f96b19678464e4d30bd18291b4652b5383d8f324bea239484eaa153f147f2ee116a58f2b0c4f2a6581f799a7fe1c337043a0bae963d1a84ea1d02553
SSDEEP

98304:EA3utc4HTUfGJeO3ADxzbWtbsTZlVkAh0YdtLltLvWf/EtK:7uc4QjVHWClVkAXLlFIx

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
79	4372	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe

Executes dropped EXE 17 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
3684	ksomisc.exe
1904	wpscloudsvr.exe
3180	ksomisc.exe
3064	ksomisc.exe
408	ksomisc.exe
3136	wps.exe
3928	wps.exe
3504	wps.exe
4856	wpsupdate.exe
3432	wpscloudsvr.exe
2884	wpscenter.exe
3000	wpsupdate.exe
3244	wpscloudsvr.exe
5000	wpscenter.exe
1704	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
4988	regsvr32.exe
3112	regsvr32.exe
4448	regsvr32.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{0C7FEF07-DCD9-4120-9647-D1CE32F289CD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps /Preview"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class\ = "WPS.Office.Interop.Wps.GlobalClass.9"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{A1BBCFD9-B54C-443D-BC56-0BC3840120DB}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp /Preview"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\mui\\default\\resource\\ksee\\EqnEdit.exe"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Preview"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00020878-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00024478-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{0002E166-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{000244BD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WPS.PIC.wbm\shell\open\command	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{000CD6A3-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.wpsx	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00024481-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002E118-0000-0000-C000-000000000046}\ = "_dispReferencesEvents"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002093B-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ET.Xlsb.6\DefaultIcon	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000C0375-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{B5828B50-0E3D-448A-962D-A40702A5868D}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002443E-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00020893-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{0002E165-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000C03B9-0000-0000-C000-000000000046}\ = "BulletFormat2"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{00020974-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002448A-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000209E4-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{00024446-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WPP.SLDM.6\shell	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WPS.PIC.ppm\shell\open	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WPS.PIC.svgz\shell\open\command	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000C0367-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000208A5-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00020998-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00024440-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WPS.PIC.pef\shell\open\command	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000C0313-0000-0000-C000-000000000046}\ = "ConnectorFormat"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000209F7-0000-0000-C000-000000000046}\ = "ApplicationEvents"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000209A9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{00020A02-0000-0000-C000-000000000046}\ = "DocumentEvents2"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.eto\ = "KET.OutwardWorkbook.9"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\TypeLib\{55764DA4-BB0F-4781-8342-D85F1D800ACB}\1.0	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002096B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{00020933-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{0002098D-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002442B-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInInstance.1\CLSID\ = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{91807402-6C6F-47CD-B8FA-C42FEE8EE924}\ = "Pages"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000244AF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{00020882-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{000CD101-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0D951ADF-10A6-4C9B-BCD9-0FB8CBAD9A87}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{914934C5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\WOW6432Node\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\KET.Application.9\CLSID	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{0002447A-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00020848-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Interface\{00024436-0000-0000-C000-000000000046}	ksomisc.exe

Suspicious behavior: AddClipboardFormatListener 9 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
3684	ksomisc.exe
3180	ksomisc.exe
3064	ksomisc.exe
408	ksomisc.exe
4856	wpsupdate.exe
2884	wpscenter.exe
3000	wpsupdate.exe
1704	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
1904	wpscloudsvr.exe
1904	wpscloudsvr.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
Token: SeDebugPrivilege	3684	ksomisc.exe
Token: SeLockMemoryPrivilege	3684	ksomisc.exe
Token: SeDebugPrivilege	3180	ksomisc.exe
Token: SeLockMemoryPrivilege	3180	ksomisc.exe
Token: SeDebugPrivilege	3064	ksomisc.exe
Token: SeLockMemoryPrivilege	3064	ksomisc.exe
Token: SeDebugPrivilege	408	ksomisc.exe
Token: SeLockMemoryPrivilege	408	ksomisc.exe
Token: SeLockMemoryPrivilege	4856	wpsupdate.exe
Token: SeLockMemoryPrivilege	2884	wpscenter.exe
Token: SeLockMemoryPrivilege	3000	wpsupdate.exe
Token: SeDebugPrivilege	1704	ksomisc.exe
Token: SeLockMemoryPrivilege	1704	ksomisc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
408	ksomisc.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3684	ksomisc.exe
3064	ksomisc.exe
3064	ksomisc.exe
408	ksomisc.exe
408	ksomisc.exe
4856	wpsupdate.exe
4856	wpsupdate.exe
2884	wpscenter.exe
2884	wpscenter.exe
3000	wpsupdate.exe
3000	wpsupdate.exe
3180	ksomisc.exe
3180	ksomisc.exe
3180	ksomisc.exe
1704	ksomisc.exe
1704	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1896	4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe	94
PID 4120 wrote to memory of 1896	4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe	94
PID 4120 wrote to memory of 1896	4120	2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe	94
PID 1896 wrote to memory of 1904	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	102
PID 1896 wrote to memory of 1904	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	102
PID 1896 wrote to memory of 1904	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	102
PID 3684 wrote to memory of 4988	3684	ksomisc.exe	103
PID 3684 wrote to memory of 4988	3684	ksomisc.exe	103
PID 3684 wrote to memory of 4988	3684	ksomisc.exe	103
PID 3684 wrote to memory of 3112	3684	ksomisc.exe	104
PID 3684 wrote to memory of 3112	3684	ksomisc.exe	104
PID 3684 wrote to memory of 3112	3684	ksomisc.exe	104
PID 3112 wrote to memory of 4448	3112	regsvr32.exe	105
PID 3112 wrote to memory of 4448	3112	regsvr32.exe	105
PID 1896 wrote to memory of 3180	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	106
PID 1896 wrote to memory of 3180	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	106
PID 1896 wrote to memory of 3180	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	106
PID 1896 wrote to memory of 3064	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	107
PID 1896 wrote to memory of 3064	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	107
PID 1896 wrote to memory of 3064	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	107
PID 4100 wrote to memory of 408	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	108
PID 4100 wrote to memory of 408	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	108
PID 4100 wrote to memory of 408	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	108
PID 3684 wrote to memory of 3136	3684	ksomisc.exe	109
PID 3684 wrote to memory of 3136	3684	ksomisc.exe	109
PID 3684 wrote to memory of 3136	3684	ksomisc.exe	109
PID 3136 wrote to memory of 3928	3136	wps.exe	110
PID 3136 wrote to memory of 3928	3136	wps.exe	110
PID 3136 wrote to memory of 3928	3136	wps.exe	110
PID 3136 wrote to memory of 3504	3136	wps.exe	111
PID 3136 wrote to memory of 3504	3136	wps.exe	111
PID 3136 wrote to memory of 3504	3136	wps.exe	111
PID 4100 wrote to memory of 2952	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	113
PID 4100 wrote to memory of 2952	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	113
PID 4100 wrote to memory of 2952	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	113
PID 2952 wrote to memory of 3780	2952	regsvr32.exe	114
PID 2952 wrote to memory of 3780	2952	regsvr32.exe	114
PID 3684 wrote to memory of 4372	3684	ksomisc.exe	115
PID 3684 wrote to memory of 4372	3684	ksomisc.exe	115
PID 3684 wrote to memory of 4372	3684	ksomisc.exe	115
PID 3684 wrote to memory of 4372	3684	ksomisc.exe	115
PID 4100 wrote to memory of 4856	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	117
PID 4100 wrote to memory of 4856	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	117
PID 4100 wrote to memory of 4856	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	117
PID 4856 wrote to memory of 3432	4856	wpsupdate.exe	118
PID 4856 wrote to memory of 3432	4856	wpsupdate.exe	118
PID 4856 wrote to memory of 3432	4856	wpsupdate.exe	118
PID 4856 wrote to memory of 2884	4856	wpsupdate.exe	119
PID 4856 wrote to memory of 2884	4856	wpsupdate.exe	119
PID 4856 wrote to memory of 2884	4856	wpsupdate.exe	119
PID 4100 wrote to memory of 3000	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	120
PID 4100 wrote to memory of 3000	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	120
PID 4100 wrote to memory of 3000	4100	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	120
PID 3000 wrote to memory of 3244	3000	wpsupdate.exe	122
PID 3000 wrote to memory of 3244	3000	wpsupdate.exe	122
PID 3000 wrote to memory of 3244	3000	wpsupdate.exe	122
PID 3000 wrote to memory of 5000	3000	wpsupdate.exe	123
PID 3000 wrote to memory of 5000	3000	wpsupdate.exe	123
PID 3000 wrote to memory of 5000	3000	wpsupdate.exe	123
PID 1896 wrote to memory of 624	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	124
PID 1896 wrote to memory of 624	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	124
PID 1896 wrote to memory of 624	1896	421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe	124
PID 3180 wrote to memory of 2156	3180	ksomisc.exe	125
PID 3180 wrote to memory of 2156	3180	ksomisc.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_8740a387ed73d32e8e736adcde684843_magniber_revil.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\wps_download\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
  "C:\Users\Admin\AppData\Local\Temp\wps_download\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E581B15
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:3736
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
        5⤵
        Registers COM server for autorun
        
        PID:3428
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1704

C:\Users\Admin\AppData\Local\Temp\wps_download\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_E578B58 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e578676\
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:408
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    PID:3780
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:setup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" -createtask
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:3244
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"
    3⤵
    - Executes dropped EXE
    PID:5000

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E580C4F -forceperusermode
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
  2⤵
  - Loads dropped DLL
  PID:4988
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
    3⤵
    - Loads dropped DLL
    PID:4448
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3136 /prv
    3⤵
    - Executes dropped EXE
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
c2d146a5359002a751ca8ac02a2af3a7

SHA1
847b3cb0ba52fe77869800accba3feef4486c2a5

SHA256
e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae

SHA512
de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
c84af4b704317c999fbcae4bfbc0d160

SHA1
18878298def296c5dd9cb62ec12f2d7603d2d0e7

SHA256
b1931aeb9a2b5af056a6875314c85e2936150bd61f536cf8e9a92424a324a29e

SHA512
5c60dd4f6f277543cd68d12f6ecbaa14a58fa2b6dccc111478bf6e633737f9bad072510e7250c698674baf765ebf21d8e07e4b4b74633dc0467b1a8f3e83b2e0

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kconfigcentersdk\kconfigcentersdk.dll

Filesize
332KB

MD5
a889bca455720ef0dfa30338d1a37018

SHA1
c49bdfdd1ce19178cb1aa83efb9f92975b1a9d25

SHA256
3f4e26bc93d7fc1cc54100c319a2b9d8fb83088872769b78e814980fb6f1e005

SHA512
9b5c8fe20debb59833f06edac5e984d53fa74f9999ffeb92b0c0f9350d3e13286e680a561bc139e5cca97e5e52a71a0f7e18cef38ba190055b186284260b20a7

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kmodule\kmodule.dll

Filesize
110KB

MD5
502c4322fc360fd8cc90f59ac863c1a3

SHA1
609a71a48653b68576a539a3c44ec29f50b589a2

SHA256
0f40c5c4d1566d7f71b122c172d4906e98190fcfc88f31c9fbebd3b4d53d6058

SHA512
49872e6efdd63ce7ad42232dc576ac3500dc3d2f2cace4aedfaf2ab9f2af78b80defa424586dd85122b8d88bd898c3f2f72bcb0bf6ee12f611698f4f4029b2f3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini

Filesize
67B

MD5
223673e5e8d77083765b70ddf7a0f7f6

SHA1
3b5c4d6304ed6ada0ec607f44a2aace24ec16126

SHA256
9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82

SHA512
62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg

Filesize
433B

MD5
1c1eb59705cc6888811f3019aa3be6dc

SHA1
561a22bb405b8e77cfa062dcbb8ce2589b23bd46

SHA256
82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc

SHA512
17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kbase.dll

Filesize
55KB

MD5
575b0151a48a719119888cef4f7fca12

SHA1
f39c1765f8edf0105722e1443c24de32e25d9de0

SHA256
a789830df17282311db67dae1130e95988b78b1942667b5b13f2ef9e96c0ac2b

SHA512
9831cdfcad069880ba6a772c078d2285bd9a44be80a8ad91df2d01120fededd0526c7ad5a74b78a7cd731b3e54df16ee4f1eaeecb3cde07a1c944aae98920a07

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krpt.dll

Filesize
86KB

MD5
1b75b61532d7793afd8f87ecf476e58b

SHA1
ab906eb2a3f0d18fb77ef6ecaf91550f23cb951d

SHA256
9472440cbcac55b57f3bba8d166e051d81447097496bd51af86b5d943416d74b

SHA512
8ee2d375d1370286c976758c793dcdc9c5568a6f91cbe3c667820e8dfc95a609402ed3d054fad56acd2d4fefc106e0ac9a627b2c26120a2b9d13b7ce99fc6172

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krt.dll

Filesize
947KB

MD5
dbb70fbe46aa5c9a1c174e56a43f4068

SHA1
e2f0f0f2306cb863cbde6228660a17a98e632bf3

SHA256
3e487777a70672ab2792510e39925e6ca96593394cb02c94737d1d1d648a2ced

SHA512
82b586c10248ba65445eaf23418ce68b1f52266d855c2514883d73a04e36baa42773f61018e042406f05d474cf8f7d697802362da21125868c80c62385a81d78

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolite.dll

Filesize
9.3MB

MD5
152a690c0d8050b22bde17abd3806345

SHA1
38fd488acab1dbdcc66d88ebec03215c1f0ede85

SHA256
4347c6c4c88c47306731390d5f6085f86eb9d9e1dfcc0058daf8a9efbbe912ed

SHA512
e6558db247c05c7843ca050b3ec1bb3d533d5d1597d2fcab36c5eafd621f62ff280d759d6856ce75ed96dd6dbb0127a19a4ee64a0dc58131cfefe57b88404798

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolog.dll

Filesize
211KB

MD5
bb63628c0cc81ff45adb3214342e066e

SHA1
5bb812cad46effac16d0def3eb7014a1f6d3a8b6

SHA256
e796227cb887b8b29d0530817ece2290f42ea491b11561ecdb2ad705e43f67c2

SHA512
a090823be81e4d300fea093be7680b12a9970890de64f27af83375bdf5e869c2d10fb2d3d10fa991ce113c6186e30dc59855b1dedd0c5a399b517a3e7841fe6d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

Filesize
3.0MB

MD5
20704171f1c20337f7348ae4dab809bf

SHA1
c0a8e284cab4e843bfd9cea49e221efabc971596

SHA256
03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e

SHA512
47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt.conf

Filesize
271B

MD5
351fdc16f8e5ec3105aeb289397a06bc

SHA1
115bcf3e66703597ef4fb42acbdf3be37fff221b

SHA256
b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8

SHA512
4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
39f7a2e4e5493a25ff8597413372d8d7

SHA1
4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1

SHA256
6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8

SHA512
80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

Filesize
957KB

MD5
2ce8dfb2a53e622411af4f8078d1535f

SHA1
ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225

SHA256
90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747

SHA512
d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

Filesize
131B

MD5
3746c469eb78f50072db8e0219f1fe4f

SHA1
17af3f74c1aea1bbbafdd81bd213367d95174ba7

SHA256
a88dfad8147fa0a44027236b54cd6241b6e543b330d354601d2d6eba8296a41e

SHA512
e2401f2d8bca4540c6214efea26f571a44fe1f0e0ac59da8e2d5a889da90083303a30dff3b952243ee9928a6488d37f980356da0c6adf1168e3e7230d48da1c5

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

Filesize
530B

MD5
0be87878bccdc39958a0406f9a33ef7d

SHA1
79cfa6a1f07b531fb7faf1be0352cf96333ac909

SHA256
23a9e27273dd180b16aa64cbc23502885ddbe2c1608509fc28cefdc19e2353b9

SHA512
f48569f8f9163a47473f918b533fdf36347ae0ed751a27025c20eac3cc2bf3be342844ced15774fabddf4232433f9a37c487bbe11bda509c922602a06dac92d8

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

Filesize
675B

MD5
d611b427e4eaf043e4424ffd4a9a4068

SHA1
24fa7bf692b3388f6677a1a491df9946f50daac3

SHA256
c6e4c4974dfd3be43c7d20d5537a89f05f402828cfe944a23a8f0e2dd6056bc3

SHA512
9cf2df5ebf35e916432d16c8076f02120c4f6f39b20d2d9e0649422d71ba0868e14e55b68414629ff1eb310ef2ec2105921d11806f8e82029eba310ab91949b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
03a68583fa3b1349664a3ab1cd3f28cf

SHA1
7304f095be0893ad322b80dc2bc010e52e764da5

SHA256
6a2cf19506de776bd8d3affcf5ff16afe6fe43f5b84609d17e31b661e0021bea

SHA512
1ab0130caa6bacf104a6a752b34ef17d941c5d73c2275c8273a663bf2569c12f1dc102a18389a9686ff94739f945911967fd6c55ad0b4c46c6e88eaa0c780002

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
677bc25f723c163aeb9408490bb6b782

SHA1
98f6ca86cd39c974083e4db1b0e193260cf46830

SHA256
87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb

SHA512
eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
0849984cff99db55aba5d085efba5d0e

SHA1
802cdd8163ba992b206c0331b4fb4644bd7ff562

SHA256
e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875

SHA512
cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\Qt5SvgKso.dll

Filesize
378KB

MD5
e654635510b1aa9482796b2e543b6f9f

SHA1
d3e85dc5709ff4013c9904eec579cc268bcc843b

SHA256
8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9

SHA512
3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.4MB

MD5
5545333769aa479ed5e4f23f40fccd99

SHA1
c216b59399217290e9f579c1521f0b724d24bf0b

SHA256
a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a

SHA512
e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
445KB

MD5
523c6a8629b886557c7fe84bbc1786a5

SHA1
0dc9d1fde374d9d5f36f78301d2ceed757ab442e

SHA256
1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854

SHA512
bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
dcd7b4b0bd0fc4c5f243c1a95cdc040d

SHA1
573a66056afd4c069d3a9e62bf3b68c7d7e4fcbf

SHA256
9e6ed09af796b01f6ac2bcfa210be10558effe750ad41b8ca852bf8de2a25ea7

SHA512
ff336d34dd5146bfe624de62c59cc77eae39489d5fd1a79a1f42bbe4787549c13613463d56a8433a9dcf2d991aa078e20ced695a960d3f056137e845f15b7849

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
24c1c69547498300c8a9fef3d49d1f5b

SHA1
54adfe188efa56fc52438513692c1306f2f23e52

SHA256
c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8

SHA512
7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
c86cfa96b6bc8d403cc27fe4bb901394

SHA1
c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9

SHA256
ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1

SHA512
19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
daecfd1742dfdb76c6a5663c8b3577c5

SHA1
4857af5fc2c4b780b325682210873748448d9e76

SHA256
550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294

SHA512
97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
07e26db5ff3902a3f6aa4804d030982d

SHA1
dfcd419b7d1f52d55f679316110e77c66bf2d289

SHA256
0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9

SHA512
d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
70KB

MD5
12f25aa0d20ffb93e3090157102e08bf

SHA1
5a6144e0b6fce079a83becb5c1f81a0f719a5e99

SHA256
e5f45a8bd92387d17668e5d792604818de865b0113366006658ca4a64d1c87f0

SHA512
884de26e86eccee05b7c7a56f2848f18e6cef783b80d704c89189cb8fff6e4edd258b64d3ed69db9ae40e2c1131b0a251af741d86fed58b8ecf10a9401762ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
146KB

MD5
b6753bec77430c645682c3b705b6cc13

SHA1
ac523c5a8ba93cdcccb626b359cbb061d45528ec

SHA256
cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f

SHA512
f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e578676\CONTROL\product.dat

Filesize
111KB

MD5
275e4919bf12383eeaae2e35f1aedca2

SHA1
d63a89631852f77f4de039ee5ffd8b46b10e044c

SHA256
d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072

SHA512
b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.500.2086.exe

Filesize
225.0MB

MD5
d54254438c5c1d2c3cf234e583ed6c97

SHA1
becbb2ef95317e5f8ae5782538364aa58b9cb980

SHA256
317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636

SHA512
6087b1ea0e3ce1f0daeca7c42e28dfc88db80a9aad48bb7f94e736be309bd78074d4ab06ec057fc88a198f8998cc51fc08174e925ca44c54cf7b2fffeccd8da8

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8UK4QGBTISRRLB43I08.temp

Filesize
8KB

MD5
6d69406517ddd037aa4141f4d1156520

SHA1
ffcf908557966aaf47baafeeab41dfb4b353268f

SHA256
640e20866f21b50b251f51ef1f4bbf73f64adfd5587f1498fc12a5d109c9152f

SHA512
90e6b1adee861f767273d20a3c873a97f0bc0001375898143abfe4d37e97983c600e873bd3d9853b9cdf759cdbf6cbf7147eb2f042517704ce58a0f0ff201610

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

Filesize
904KB

MD5
ab43ffea65e271394e52ae3512df8682

SHA1
358a4ae4fbc161d7a6ceb4fb0e7c328af2ccd1cc

SHA256
db640debebf395ca62855b89ffc1673e288c8c1aaf1b3222383e5bf8189a2687

SHA512
1cb1e386fa5fe5ad5c2ee12f8c1f3fe68372e7884b36446cc1a85a385ae29a4bf9845b240204ba9cc5756930929b199570fd2497340433267a3223422d635a6d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_04_19.log

Filesize
4KB

MD5
7fe1d6732ff645fd67bd183fed92995c

SHA1
d961244e081db239cfcb0dbbe268f103dffcc812

SHA256
4930c19a271d6abf6a12b405949e62f4466dc401e03f9440c5b2f1c3275e4bd8

SHA512
1e6b784fc33d7ea5b8c3f750a2ad39ef2e11a5d32a06378416b77186257dc28ee8361c7d3edf88062f587ae34696f89fdd37e4204585667bdc9afab579fa1db9

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
3e2c50375bbae27b19f5368764041bea

SHA1
c28f543d48e556a4b9733a7fac88b0ada8f59dc3

SHA256
89f177cc57b097cbac87d4368e0d916246af71fb0940ba829d7e7d5031f6aff8

SHA512
49c07ce98d9c90c701e094a3b4274481bebad2b00ece27d7a6061da7fe898df2eb484c0161b7562dab6b13cd03b6876700f71477744fbb4a76d927b3cb1fe50b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
228975e718433695124d0e01734132a7

SHA1
d28f89c11fede3205c729beecac357466d1d0907

SHA256
a72cb74f358b8addbc7579f6ae021933e9296195e45218c395edeb808c4b6ad7

SHA512
a22dc45d30496b1ae9a30fd500bf89acf70b61cbd58d7ad2f97ec470da0fe38c8b7610e392dcc0621878c9faeac21fe3037b406570aa61d138e54178e724ac2f

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
30KB

MD5
85992f6ef83d718f502fbdee0264f1cc

SHA1
8ce4fe505a2d138e9bad3df023c7b088a00c7217

SHA256
610dfd0bdc7ca3147b7a9d6f5cdd6bb6a53947deca69f15955ceeab0c7a42873

SHA512
5e2ffae48959b28a7cb68da417cd9043c87e4959eae1a4f2d0b19c08cfd4538764d16c5f7afbedf5f399b83771442f84ea671b845c8b6096e985d0717de213d0

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
48KB

MD5
e66bb2ea549cc88e16fcaf83305f91b5

SHA1
884ba445cd217d9cc359346d972e3466b1efc152

SHA256
053eb554c6c7e33a3a83ff42cea2be5d603f1f78bebfe4c2a8b674024c3bd5d4

SHA512
d0f48e5780bf1fdd3e08eb02d63bc478d6de721e8ae93339ad0a94060573b1352a6ae7a8726dd3f925047d3d3011d313d8b3560fe4ac51bb1df561207ee24c2a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\plgpack.plgx

Filesize
5KB

MD5
e2b6cb7fe2e97892f26df066f992379d

SHA1
1a4b2455e80b56ca81424721c75d3339c6f38687

SHA256
1719fac1e9d041c6415da83cd7ad93cd31d38d2260432d5535edf9ae56ce3316

SHA512
3462d3afd4dd54d4b8fed262e48cf4359683d30351641f4cf94e07f47bf157210f734744a8522888d30a3ba334a32d2cd11a49b352ccb61c9214e9d51947f94e

Download Submit
memory/408-4245-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/408-4311-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/408-4242-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/408-4276-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/408-4248-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/408-4243-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/1704-4658-0x0000000067A40000-0x000000006AA36000-memory.dmp

Filesize
48.0MB

Download
memory/1704-4652-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/1704-4650-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/1704-4649-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/1704-4668-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/2156-4511-0x000000006D960000-0x000000006D970000-memory.dmp

Filesize
64KB

Download
memory/2884-4461-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/2884-4462-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/2884-4679-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/2884-4678-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/2884-4468-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3000-4469-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3000-4467-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3064-4237-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3064-4238-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3064-4234-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3064-4240-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3064-4344-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3136-4347-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3136-4333-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3136-4335-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3136-4336-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3136-4334-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3180-4083-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3180-4656-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3180-4078-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3180-4081-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3180-4460-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3180-4079-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3428-4680-0x00007FFC6EB10000-0x00007FFC6ED05000-memory.dmp

Filesize
2.0MB

Download
memory/3428-4514-0x00007FFC6EB10000-0x00007FFC6ED05000-memory.dmp

Filesize
2.0MB

Download
memory/3428-4513-0x00007FFC2C7D0000-0x00007FFC2C7E0000-memory.dmp

Filesize
64KB

Download
memory/3504-4343-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3504-4345-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3504-4340-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3504-4341-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3684-3964-0x0000000037960000-0x0000000037970000-memory.dmp

Filesize
64KB

Download
memory/3684-3976-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/3684-3968-0x0000000077972000-0x0000000077973000-memory.dmp

Filesize
4KB

Download
memory/3684-4006-0x0000000006490000-0x00000000064A0000-memory.dmp

Filesize
64KB

Download
memory/3684-3991-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/3684-3970-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3684-3969-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3684-4653-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3684-4332-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/3928-4337-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/3928-4338-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/4448-4339-0x00007FFC6EB10000-0x00007FFC6ED05000-memory.dmp

Filesize
2.0MB

Download
memory/4448-4070-0x00007FFC2C730000-0x00007FFC2C740000-memory.dmp

Filesize
64KB

Download
memory/4448-4071-0x00007FFC2C7D0000-0x00007FFC2C7E0000-memory.dmp

Filesize
64KB

Download
memory/4448-4072-0x00007FFC6EB10000-0x00007FFC6ED05000-memory.dmp

Filesize
2.0MB

Download
memory/4856-4448-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/4856-4449-0x000000006C300000-0x000000006F2F6000-memory.dmp

Filesize
48.0MB

Download
memory/4988-4068-0x000000006D8D0000-0x000000006D8E0000-memory.dmp

Filesize
64KB

Download
memory/4988-4069-0x000000006D960000-0x000000006D970000-memory.dmp

Filesize
64KB

Download
memory/5000-4503-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/5000-4499-0x000000006F550000-0x000000006FE99000-memory.dmp

Filesize
9.3MB

Download
memory/5000-4500-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download
memory/5000-4501-0x000000006FEA0000-0x000000006FEB4000-memory.dmp

Filesize
80KB

Download
memory/5000-4502-0x0000000076190000-0x0000000076280000-memory.dmp

Filesize
960KB

Download