Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
Resource
win10v2004-20240508-en
General
-
Target
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
-
Size
225.0MB
-
MD5
d54254438c5c1d2c3cf234e583ed6c97
-
SHA1
becbb2ef95317e5f8ae5782538364aa58b9cb980
-
SHA256
317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636
-
SHA512
6087b1ea0e3ce1f0daeca7c42e28dfc88db80a9aad48bb7f94e736be309bd78074d4ab06ec057fc88a198f8998cc51fc08174e925ca44c54cf7b2fffeccd8da8
-
SSDEEP
6291456:qo5Y69DnhF6Rn0lo108kbmXMdyDq/1pA0F0QkDTqaHXXbV/T:qo5Y69DnkndYJ7S0GQkZ3LV/T
Malware Config
Signatures
-
Processes:
wpscloudsvr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ksomisc.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exedescription ioc process File opened for modification \??\PhysicalDrive0 ksomisc.exe File opened for modification \??\PhysicalDrive0 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ksomisc.exeksomisc.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exedescription ioc process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Executes dropped EXE 8 IoCs
Processes:
ksomisc.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exewps.exewps.exewps.exepid process 2448 ksomisc.exe 4120 wpscloudsvr.exe 3312 ksomisc.exe 2724 ksomisc.exe 5084 ksomisc.exe 3732 wps.exe 1704 wps.exe 956 wps.exe -
Loads dropped DLL 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeregsvr32.exeregsvr32.exeregsvr32.exeksomisc.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2344 regsvr32.exe 1896 regsvr32.exe 4044 regsvr32.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" regsvr32.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
ksomisc.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp /Automation" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32 ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 ksomisc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ksomisc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" ksomisc.exe -
Modifies registry class 64 IoCs
Processes:
ksomisc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ = "Player" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{0002095F-0000-0000-C000-000000000046}\ = "Panes" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209D1-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{C1A870A0-850E-4D38-98A7-741CB8C3BCA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{44720440-94BF-4940-926D-4F38FECF2A48}\3.0\HELPDIR ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0317-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020881-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020928-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020988-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{CAE36175-3818-4C60-BCBF-0645D51EB33B}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A5-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "PlotArea" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{9149346E-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244D4-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209ED-0000-0000-C000-000000000046}\ = "SmartTag" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{FA02A26B-6550-45C5-B6F0-80E757CD3482}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002446F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208CF-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Excel.Application ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209C6-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7759D313-9C91-46E3-BF38-3B6E68E0B1C9} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000244E0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208A3-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{6D3837A4-F05E-409F-9A65-0D22505A49C3}\TypeLib\Version = "1.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BE39F3D4-1B13-11D0-887F-00A0C90F2744}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInDesigner\ = "Addin Class" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020961-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000209A1-0000-0000-C000-000000000046}\ = "_LetterContent" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00024439-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002092B-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{766FBB6D-7576-4C00-8CE7-C548751812B3}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\VersionIndependentProgID\ = "MSAddnDr.AddInInstance" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000C03CC-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024432-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000CD100-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020942-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{C75AD98A-74E9-49FE-8BF1-544839CC08A5}\ = "ChartArea" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{00020926-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{30225CFC-5A71-4FE6-B527-90A52C54AE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{4A304B59-31FF-42DD-B436-7FC9C5DB7559}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244D2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000208AE-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WPS.RTF.6\DefaultIcon ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00020972-0000-0000-C000-000000000046}\ = "LineNumbering" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{07B7CC7E-E66C-11D3-9454-00105AA31A08} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{000208C2-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Interface\{000244AE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{00024488-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2448 ksomisc.exe 3312 ksomisc.exe 2724 ksomisc.exe 5084 ksomisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exewpscloudsvr.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 4120 wpscloudsvr.exe 4120 wpscloudsvr.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exedescription pid process Token: SeDebugPrivilege 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeDebugPrivilege 2448 ksomisc.exe Token: SeLockMemoryPrivilege 2448 ksomisc.exe Token: SeDebugPrivilege 3312 ksomisc.exe Token: SeLockMemoryPrivilege 3312 ksomisc.exe Token: SeDebugPrivilege 2724 ksomisc.exe Token: SeLockMemoryPrivilege 2724 ksomisc.exe Token: SeDebugPrivilege 5084 ksomisc.exe Token: SeLockMemoryPrivilege 5084 ksomisc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 5084 ksomisc.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exepid process 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 3312 ksomisc.exe 3312 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2448 ksomisc.exe 2724 ksomisc.exe 2724 ksomisc.exe 5084 ksomisc.exe 5084 ksomisc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeregsvr32.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exewps.exeregsvr32.exedescription pid process target process PID 2512 wrote to memory of 4120 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2512 wrote to memory of 4120 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2512 wrote to memory of 4120 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2448 wrote to memory of 2344 2448 ksomisc.exe regsvr32.exe PID 2448 wrote to memory of 2344 2448 ksomisc.exe regsvr32.exe PID 2448 wrote to memory of 2344 2448 ksomisc.exe regsvr32.exe PID 2448 wrote to memory of 1896 2448 ksomisc.exe regsvr32.exe PID 2448 wrote to memory of 1896 2448 ksomisc.exe regsvr32.exe PID 2448 wrote to memory of 1896 2448 ksomisc.exe regsvr32.exe PID 1896 wrote to memory of 4044 1896 regsvr32.exe regsvr32.exe PID 1896 wrote to memory of 4044 1896 regsvr32.exe regsvr32.exe PID 2512 wrote to memory of 3312 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2512 wrote to memory of 3312 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2512 wrote to memory of 3312 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2512 wrote to memory of 2724 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2512 wrote to memory of 2724 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2512 wrote to memory of 2724 2512 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 3744 wrote to memory of 5084 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 3744 wrote to memory of 5084 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 3744 wrote to memory of 5084 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2448 wrote to memory of 3732 2448 ksomisc.exe wps.exe PID 2448 wrote to memory of 3732 2448 ksomisc.exe wps.exe PID 2448 wrote to memory of 3732 2448 ksomisc.exe wps.exe PID 3732 wrote to memory of 1704 3732 wps.exe wps.exe PID 3732 wrote to memory of 1704 3732 wps.exe wps.exe PID 3732 wrote to memory of 1704 3732 wps.exe wps.exe PID 3732 wrote to memory of 956 3732 wps.exe wps.exe PID 3732 wrote to memory of 956 3732 wps.exe wps.exe PID 3732 wrote to memory of 956 3732 wps.exe wps.exe PID 3744 wrote to memory of 3304 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 3744 wrote to memory of 3304 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 3744 wrote to memory of 3304 3744 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 3304 wrote to memory of 756 3304 regsvr32.exe regsvr32.exe PID 3304 wrote to memory of 756 3304 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4120 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E59F8DD2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 52⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724
-
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_E581F5A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5084 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
PID:756
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E599522 -forceperusermode1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"2⤵
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:4044 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService3⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3732 /prv3⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵PID:4800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c2d146a5359002a751ca8ac02a2af3a7
SHA1847b3cb0ba52fe77869800accba3feef4486c2a5
SHA256e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae
SHA512de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a
-
Filesize
169KB
MD5c84af4b704317c999fbcae4bfbc0d160
SHA118878298def296c5dd9cb62ec12f2d7603d2d0e7
SHA256b1931aeb9a2b5af056a6875314c85e2936150bd61f536cf8e9a92424a324a29e
SHA5125c60dd4f6f277543cd68d12f6ecbaa14a58fa2b6dccc111478bf6e633737f9bad072510e7250c698674baf765ebf21d8e07e4b4b74633dc0467b1a8f3e83b2e0
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kconfigcentersdk\kconfigcentersdk.dll
Filesize332KB
MD5a889bca455720ef0dfa30338d1a37018
SHA1c49bdfdd1ce19178cb1aa83efb9f92975b1a9d25
SHA2563f4e26bc93d7fc1cc54100c319a2b9d8fb83088872769b78e814980fb6f1e005
SHA5129b5c8fe20debb59833f06edac5e984d53fa74f9999ffeb92b0c0f9350d3e13286e680a561bc139e5cca97e5e52a71a0f7e18cef38ba190055b186284260b20a7
-
Filesize
110KB
MD5502c4322fc360fd8cc90f59ac863c1a3
SHA1609a71a48653b68576a539a3c44ec29f50b589a2
SHA2560f40c5c4d1566d7f71b122c172d4906e98190fcfc88f31c9fbebd3b4d53d6058
SHA51249872e6efdd63ce7ad42232dc576ac3500dc3d2f2cace4aedfaf2ab9f2af78b80defa424586dd85122b8d88bd898c3f2f72bcb0bf6ee12f611698f4f4029b2f3
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm
Filesize334B
MD52b42be10ddde43a0b6c2e461beae293a
SHA153888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize198KB
MD5b4b4c703bf5c6c0b5e9c57f05012d234
SHA1929aee49e800e88b4b01f4a449fa86715d882e42
SHA256910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA5122afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec
-
Filesize
67B
MD5223673e5e8d77083765b70ddf7a0f7f6
SHA13b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA2569089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA51262f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52
-
Filesize
433B
MD51c1eb59705cc6888811f3019aa3be6dc
SHA1561a22bb405b8e77cfa062dcbb8ce2589b23bd46
SHA25682602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc
SHA51217ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b
-
Filesize
55KB
MD5575b0151a48a719119888cef4f7fca12
SHA1f39c1765f8edf0105722e1443c24de32e25d9de0
SHA256a789830df17282311db67dae1130e95988b78b1942667b5b13f2ef9e96c0ac2b
SHA5129831cdfcad069880ba6a772c078d2285bd9a44be80a8ad91df2d01120fededd0526c7ad5a74b78a7cd731b3e54df16ee4f1eaeecb3cde07a1c944aae98920a07
-
Filesize
86KB
MD51b75b61532d7793afd8f87ecf476e58b
SHA1ab906eb2a3f0d18fb77ef6ecaf91550f23cb951d
SHA2569472440cbcac55b57f3bba8d166e051d81447097496bd51af86b5d943416d74b
SHA5128ee2d375d1370286c976758c793dcdc9c5568a6f91cbe3c667820e8dfc95a609402ed3d054fad56acd2d4fefc106e0ac9a627b2c26120a2b9d13b7ce99fc6172
-
Filesize
947KB
MD5dbb70fbe46aa5c9a1c174e56a43f4068
SHA1e2f0f0f2306cb863cbde6228660a17a98e632bf3
SHA2563e487777a70672ab2792510e39925e6ca96593394cb02c94737d1d1d648a2ced
SHA51282b586c10248ba65445eaf23418ce68b1f52266d855c2514883d73a04e36baa42773f61018e042406f05d474cf8f7d697802362da21125868c80c62385a81d78
-
Filesize
9.3MB
MD5152a690c0d8050b22bde17abd3806345
SHA138fd488acab1dbdcc66d88ebec03215c1f0ede85
SHA2564347c6c4c88c47306731390d5f6085f86eb9d9e1dfcc0058daf8a9efbbe912ed
SHA512e6558db247c05c7843ca050b3ec1bb3d533d5d1597d2fcab36c5eafd621f62ff280d759d6856ce75ed96dd6dbb0127a19a4ee64a0dc58131cfefe57b88404798
-
Filesize
211KB
MD5bb63628c0cc81ff45adb3214342e066e
SHA15bb812cad46effac16d0def3eb7014a1f6d3a8b6
SHA256e796227cb887b8b29d0530817ece2290f42ea491b11561ecdb2ad705e43f67c2
SHA512a090823be81e4d300fea093be7680b12a9970890de64f27af83375bdf5e869c2d10fb2d3d10fa991ce113c6186e30dc59855b1dedd0c5a399b517a3e7841fe6d
-
Filesize
3.0MB
MD520704171f1c20337f7348ae4dab809bf
SHA1c0a8e284cab4e843bfd9cea49e221efabc971596
SHA25603d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e
SHA51247b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
Filesize236KB
MD5c5ad1903526a9ca4c2f55cfea1e22778
SHA19c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA2565e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4
-
Filesize
271B
MD5351fdc16f8e5ec3105aeb289397a06bc
SHA1115bcf3e66703597ef4fb42acbdf3be37fff221b
SHA256b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8
SHA5124cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll
Filesize1.4MB
MD539f7a2e4e5493a25ff8597413372d8d7
SHA14dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1
SHA2566b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8
SHA51280063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a
-
Filesize
957KB
MD52ce8dfb2a53e622411af4f8078d1535f
SHA1ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225
SHA25690331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747
SHA512d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882
-
Filesize
499B
MD5183330feb3b9701fec096dcbfd8e67e4
SHA12f43379fefa868319a2baae7998cc62dc2fc201d
SHA256ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471
-
Filesize
2KB
MD5a40d9fb446109cd0282a38d38b987da2
SHA1213da77bc57b07a7658bd37b4bae0ffca625882e
SHA256257d0f177c98ec9578f33932f692c5637cb6ee3310c3e5bf9b9966c37ed46eae
SHA5129e64041c459edbfa7c7e9e9dab53282432aeebfe02ee32e104babee285db6c22363692fea108c775f038ebaa1834dab6ec823c3706acf7008a56d8c554cd3c49
-
Filesize
5.0MB
MD5677bc25f723c163aeb9408490bb6b782
SHA198f6ca86cd39c974083e4db1b0e193260cf46830
SHA25687602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb
SHA512eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3
-
Filesize
5.3MB
MD50849984cff99db55aba5d085efba5d0e
SHA1802cdd8163ba992b206c0331b4fb4644bd7ff562
SHA256e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875
SHA512cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50
-
Filesize
378KB
MD5e654635510b1aa9482796b2e543b6f9f
SHA1d3e85dc5709ff4013c9904eec579cc268bcc843b
SHA2568443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9
SHA5123b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b
-
Filesize
4.4MB
MD55545333769aa479ed5e4f23f40fccd99
SHA1c216b59399217290e9f579c1521f0b724d24bf0b
SHA256a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a
SHA512e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c
-
Filesize
445KB
MD5523c6a8629b886557c7fe84bbc1786a5
SHA10dc9d1fde374d9d5f36f78301d2ceed757ab442e
SHA2561f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854
SHA512bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082
-
Filesize
1.2MB
MD5dcd7b4b0bd0fc4c5f243c1a95cdc040d
SHA1573a66056afd4c069d3a9e62bf3b68c7d7e4fcbf
SHA2569e6ed09af796b01f6ac2bcfa210be10558effe750ad41b8ca852bf8de2a25ea7
SHA512ff336d34dd5146bfe624de62c59cc77eae39489d5fd1a79a1f42bbe4787549c13613463d56a8433a9dcf2d991aa078e20ced695a960d3f056137e845f15b7849
-
Filesize
2.9MB
MD524c1c69547498300c8a9fef3d49d1f5b
SHA154adfe188efa56fc52438513692c1306f2f23e52
SHA256c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8
SHA5127693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab
-
Filesize
439KB
MD55fd0772c30a923159055e87395f96d86
SHA14a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA25602c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a
-
Filesize
61KB
MD5c86cfa96b6bc8d403cc27fe4bb901394
SHA1c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9
SHA256ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1
SHA51219ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a
-
Filesize
41KB
MD5daecfd1742dfdb76c6a5663c8b3577c5
SHA14857af5fc2c4b780b325682210873748448d9e76
SHA256550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294
SHA51297848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c
-
Filesize
1.3MB
MD507e26db5ff3902a3f6aa4804d030982d
SHA1dfcd419b7d1f52d55f679316110e77c66bf2d289
SHA2560d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9
SHA512d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4
-
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
Filesize70KB
MD512f25aa0d20ffb93e3090157102e08bf
SHA15a6144e0b6fce079a83becb5c1f81a0f719a5e99
SHA256e5f45a8bd92387d17668e5d792604818de865b0113366006658ca4a64d1c87f0
SHA512884de26e86eccee05b7c7a56f2848f18e6cef783b80d704c89189cb8fff6e4edd258b64d3ed69db9ae40e2c1131b0a251af741d86fed58b8ecf10a9401762ac9
-
C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize146KB
MD5b6753bec77430c645682c3b705b6cc13
SHA1ac523c5a8ba93cdcccb626b359cbb061d45528ec
SHA256cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f
SHA512f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
81KB
MD5e51018e4985943c51ff91471f8906504
SHA15899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA5122fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74
-
Filesize
3KB
MD5034f37e6536c1430d55f64168b7e9f05
SHA1dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA5120e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0
-
Filesize
111KB
MD5275e4919bf12383eeaae2e35f1aedca2
SHA1d63a89631852f77f4de039ee5ffd8b46b10e044c
SHA256d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072
SHA512b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e
-
Filesize
382B
MD56a5eea749583001de63b993fc66496ba
SHA1fd41691ec4751e85be89917d46454f8533800b4e
SHA256bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA5126a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712
-
Filesize
428B
MD55e1b68b67986b1588301c0135f19fc7c
SHA1957ea47285f7d903cce7530ee34852435de5b5b4
SHA25623456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B23SUCL7IXVLUCX9QF1X.temp
Filesize8KB
MD50dcdf4b7a84a3f63ec4fc93281076a84
SHA19bb55ae32f0060be23d49379ac7aba0d9a5fd72e
SHA256550302e5ff6e6a665c70a436e78b1998aba04db213e0a8f4e8acd5b3bdba4f70
SHA512013838caf860a2e8007de4d22d6c6b62c65f6587465a49b0dda71ddada6355ba587e5483d848b4cb02cc8da8cdb31b109af8aedbeec7a45c81c9688bae977d54
-
Filesize
6KB
MD55d49031a8e5556c1212c2c9c9b1359f3
SHA17cfd7a8d3c16c33652c924febbd9b082cb487f31
SHA25640dfc5aa5c5bc5d903a345b31a24a047573fc37e518239e6905d6cd5560e83ee
SHA512f2bf7801078b03bb5a596c650d5c22b0468dde4e25657160001a8425dae92f517369893b7d09e0ac99d730a7692352f56ef5de0bcfde12e91533d97ae489e97f
-
Filesize
11KB
MD52526c946e9972c8e6ff274e8ccc0ac23
SHA1d5615abfc489a34b9349d0d5146fee740b0548d6
SHA256591cf4a6833cf16b24a441f439600804f5e2192f7985d92bbdf7dc66957b7c5c
SHA5128dc93feeeafe0f97a2e6b46086641bf8e59b51a77b827143247c9b6fcaf7b0782ca7c73ab478b5e7478a82c39bf683f5720d6ac6aabb3ee5cdadf8f24bbaf42b
-
Filesize
13KB
MD5fd4d0094156b509e2c262432683c58e6
SHA13a1a2cc2e919055827503971b9788f70a8aba3fd
SHA256bd03b5cd2a15cec78ee6ec93e1d77e6b5e0fd7dddfd1af24aee14e6114336c40
SHA512eb5d8d061387f6375080a497482a90807a25f27a31495d19c82760be8d5b3afb9e875e76872d1b2ba02936dc7f56bd610707eb6899a0e95d2a529ad28c76181f
-
Filesize
29KB
MD54e564b66f5d80f10a9f3b214d9910e51
SHA1b695971b2975e2a5456a1508f305eb4c675bd508
SHA2560c5ebb0c7b662c4837dd80f93dccf173d4bda54cfbc896e9a80bdcda8bb15f63
SHA512b3b5488d372efe41e76b9e20425494439f9fef79bda3185f5e3ed31fba2886b40c86773c97fbdc61a0625b30e0d55071c42b3a0cab92e309a1550e00d0186242
-
Filesize
48KB
MD5acefde25e6466512a9b74f3977cd7a85
SHA1514e11525e2db7ed1e696aeff899dfc0b09e7ded
SHA25646cfef693f457047ec3ef407b0b4dce36a71a13af67a7eeb9963518926d6433d
SHA512dd46c10f34e7fff2643c5d0e7a10fdac200038339815fd5b54887037ba7ac2ec31435f17a2903e610ae741675d80d9cdf851bc7a94c97119c8de212f57817c72
-
Filesize
48KB
MD5753cf983e32fb977ed61377d3dda0d72
SHA1bed93f092da03dc86bf9071ff238df8551c556a2
SHA256ed6bab0aa9432787be9260382f5702e7ee2f020dd9fe201d075826fbe3ebf37e
SHA5124bd88ae89aa9a96e5cedb7d59a99a149b889a0ae5f3f69031042b7c6a03ef7cfee07b21c702da5de9aa3f9b0e1c16287567602a3c4adf9608472bfd6521f69e5