422fd6f376378ebb382843e9380b58f82aaa7a70a6587c4751f67fa291331bca

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Size

5.6MB
MD5

053bc2f48ebd02038c219f55462ae948
SHA1

054391d58bfb5860f7944bd00aa2a0084786addb
SHA256

422fd6f376378ebb382843e9380b58f82aaa7a70a6587c4751f67fa291331bca
SHA512

cdf902d3296d6f70433db6d3917a8711ee66bc649ffacebd7b86da5cf56c157e633438fd8b9cb24297e1f4da08b631bf3a738e5590f6bda54fa42950ffb28410
SSDEEP

98304:IeF0/sAT4mGfckjASn3ZCto1N1BpxgTuiN54AR6KPOvB/TmmU:LSsATN+V3k0pxMkARP4Q

Score

6^/10

bootkit discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
File opened for modification	\??\PhysicalDrive0	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Executes dropped EXE 15 IoCs

pid	Process
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2988	ksomisc.exe
1532	wpscloudsvr.exe
1516	ksomisc.exe
1784	ksomisc.exe
2340	ksomisc.exe
2308	wps.exe
1968	wps.exe
1612	wps.exe
1672	wpsupdate.exe
2256	wpscloudsvr.exe
2500	wpsupdate.exe
1636	wpscloudsvr.exe
2640	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\lnkfile\ShellEx	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-20	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\WPP.POTM.6\shell\print	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000C031E-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{00020957-0000-0000-C000-000000000046}\ = "Paragraph"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00020995-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{000244C2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000C0392-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{91493465-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000C03CF-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{000209C6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00020885-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000C030E-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{1498F56D-ED33-41F9-B37B-EF30E50B08AC}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002442F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{00020864-0000-0000-C000-000000000046}\ = "MenuBar"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002E18C-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002E130-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F7-3D04-11d1-AE7D-00A0C90F26F4}\MiscStatus\1	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000C0356-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\KWPS.SecDocument.9\shell\open\ = "&Open"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{CDB0FF41-E862-47BB-AE77-3FA7B1AE3189}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002444B-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002E176-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002094C-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{DC489AD4-23C4-4F4B-990F-45A51C7C0C4F}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002097B-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{9149345C-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataLabel"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000244AF-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\TypeLib\{00024517-0000-0000-C000-000000000046}\1.2\HELPDIR	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{000209BB-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{50209974-BA32-4A03-8FA6-BAC56CC056FD}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000209E0-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{6D3837A4-F05E-409F-9A65-0D22505A49C3}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{91493491-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002096B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{00020858-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Excel.Sheet.12\DefaultIcon\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002093C-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002093F-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{F8DDB497-CA6C-4711-9BA4-2718FA3BB6FE}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00020878-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00024491-0000-0000-C000-000000000046}\ = "FormatColor"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{000C0368-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00020999-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8A342FA0-5831-4B5E-82E1-003D0A0C635D}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000244C4-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002446C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\TypeLib\{A537E638-AB2A-4308-A502-2EFF280C6E98}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.17545\\office6\\ksaddndr.dll"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{000C03C5-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{0002447E-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{00024488-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{CDE12CD8-767B-4757-8A31-13029A086305}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{000209BA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{7D151DFF-CBAF-4F83-85CE-E2D20E8BF84C}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{0002447F-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	ksomisc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

pid	Process
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2988	ksomisc.exe
1516	ksomisc.exe
1784	ksomisc.exe
2340	ksomisc.exe
1672	wpsupdate.exe
2500	wpsupdate.exe
2640	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
1532	wpscloudsvr.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeDebugPrivilege	2988	ksomisc.exe
Token: SeLockMemoryPrivilege	2988	ksomisc.exe
Token: SeDebugPrivilege	1516	ksomisc.exe
Token: SeLockMemoryPrivilege	1516	ksomisc.exe
Token: SeDebugPrivilege	1784	ksomisc.exe
Token: SeDebugPrivilege	2340	ksomisc.exe
Token: SeLockMemoryPrivilege	1784	ksomisc.exe
Token: SeLockMemoryPrivilege	2340	ksomisc.exe
Token: SeLockMemoryPrivilege	1672	wpsupdate.exe
Token: SeLockMemoryPrivilege	2500	wpsupdate.exe
Token: SeDebugPrivilege	2640	ksomisc.exe
Token: SeLockMemoryPrivilege	2640	ksomisc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
2988	ksomisc.exe
1516	ksomisc.exe
1516	ksomisc.exe
1784	ksomisc.exe
2340	ksomisc.exe
1784	ksomisc.exe
2340	ksomisc.exe
1672	wpsupdate.exe
1672	wpsupdate.exe
2500	wpsupdate.exe
2500	wpsupdate.exe
2640	ksomisc.exe
2640	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2400 wrote to memory of 2736	2400	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	30
PID 2736 wrote to memory of 1532	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	34
PID 2736 wrote to memory of 1532	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	34
PID 2736 wrote to memory of 1532	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	34
PID 2736 wrote to memory of 1532	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	34
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 848	2988	ksomisc.exe	35
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 2988 wrote to memory of 1636	2988	ksomisc.exe	50
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 1636 wrote to memory of 692	1636	regsvr32.exe	37
PID 2736 wrote to memory of 1516	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	38
PID 2736 wrote to memory of 1516	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	38
PID 2736 wrote to memory of 1516	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	38
PID 2736 wrote to memory of 1516	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	38
PID 2736 wrote to memory of 1784	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	39
PID 2736 wrote to memory of 1784	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	39
PID 2736 wrote to memory of 1784	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	39
PID 2736 wrote to memory of 1784	2736	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	39
PID 576 wrote to memory of 2340	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	40
PID 576 wrote to memory of 2340	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	40
PID 576 wrote to memory of 2340	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	40
PID 576 wrote to memory of 2340	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	40
PID 2988 wrote to memory of 2308	2988	ksomisc.exe	42
PID 2988 wrote to memory of 2308	2988	ksomisc.exe	42
PID 2988 wrote to memory of 2308	2988	ksomisc.exe	42
PID 2988 wrote to memory of 2308	2988	ksomisc.exe	42
PID 2308 wrote to memory of 1968	2308	wps.exe	43
PID 2308 wrote to memory of 1968	2308	wps.exe	43
PID 2308 wrote to memory of 1968	2308	wps.exe	43
PID 2308 wrote to memory of 1968	2308	wps.exe	43
PID 2308 wrote to memory of 1612	2308	wps.exe	44
PID 2308 wrote to memory of 1612	2308	wps.exe	44
PID 2308 wrote to memory of 1612	2308	wps.exe	44
PID 2308 wrote to memory of 1612	2308	wps.exe	44
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 576 wrote to memory of 2080	576	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	45
PID 2080 wrote to memory of 2304	2080	regsvr32.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
  C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -installregister sharedMemory_message_F789F4B
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1516
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
        5⤵
        
        PID:2332
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -sendinstalldyn 5
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1784
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2640

C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F7852D1 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f785090\
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kwpsmenushellext64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:2304
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe" /from:setup
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1672
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2256
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe" -createtask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2500
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1636

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -installregister sharedMemory_message_F789750 -forceperusermode
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
    3⤵
    PID:692
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.17545/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2308 /prv
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\cfgs\setup.cfg

Filesize
434B

MD5
fefcf071a7095979ab7dd4250e4f90e1

SHA1
32e54bd7ed424fdabed8731f2712c826baafed02

SHA256
5b7ef3a39ef8bc5c55f7f3e5fc52e3091dbc11ce8dbeb75280cad1a838d98c03

SHA512
304c44927033ec7c61406d819e3c55f5ace4915deb080cccbc717815e3b4768f4ee5bba74ce36d39d90134259d717ad62635140c2ffe650c9eba9546b44df40d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe

Filesize
3.0MB

MD5
7bb2f1b65aa59efd5c5d5c55c8abb4bd

SHA1
bc5d63b0a3deafd23c381f4aa4c00087169f2b1e

SHA256
46bf0a723e62b0b7690e817c689a61e565d171566241378967853f8141d2ead0

SHA512
68e4813c6bd06d90fc0ab96b0dad0e58c6bcf8ac3e7c938d2074a92785b3248aa9c5e66f9fa4ba08b5b2139d5073f91fa816582916e52dc1d9212245b81a081b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
b6c09edb687fc466082ba988b380460d

SHA1
a89dcf546009a17cfba9f2ed9c553902cd28ab74

SHA256
08695bd8865f96f23d3d164de9c3cfe499c051e7906fa4876c1634439f18b05d

SHA512
6b002547c8ef2e978cbce8625b1e9ca94d9c7b0e2bba40ac6dda4fcb70145f3384348d81b38290bfbfd823af6018c0b61a8ef21002280242a6de04586da43f4d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpscenter.exe

Filesize
881KB

MD5
164a06049fa28665d2aa4f2a9b61f2ab

SHA1
3b319684edb6a391594c093f0148c2846f862e43

SHA256
b158fb27a7aeffbb1c808ca8877ddc8b62b0ed6ebc1424273f6c0be127cd4142

SHA512
dcb841a9c26c760c15a2bcf28a278e08ee11eceeeffc8edf2892701f22023c0016f566aa9fe5dea4ad19a56efa367b2cb8ac1de8b2bdba366758eb440d27a3fd

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\utility\install.ini

Filesize
675B

MD5
0cb3fdae1d22f84423b723505bbe84a9

SHA1
f15cd5dfe4d5c618983309b886b92cad4463d607

SHA256
33737bdc5de919d62a2dfe2458bb6d154c58019063fd8d5057643d1bc0d1963a

SHA512
8a79a44191dc4588464e9b2a93cd8401f1a6fbca86d96e9bc34a7e1fa2ce1ee76710a348f99d0661b2c87831601f1db87df057171afcc6c47eeba793f111cfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabACF4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
2f617085a7e1b54c53d9d7b176d09870

SHA1
01a539c5d075900b3e35279f660a22141c5b6569

SHA256
956329c1ad8db7086e4dbe1daf7e9509a69614305a155a98cbc4c1990cc78f8d

SHA512
e075643f069615a5abc6f1a529410d94914959ed6382a698348d04fb1e8865dd4cd52afb31aff1a634c292ccbde7528e6b80b386cc89df7867bdddfb753ccf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\product.dat

Filesize
118KB

MD5
61bb8ee449b2f02bea213af64534580a

SHA1
032a8127561b9edad1a0ee4e74d26dfa8bae0c10

SHA256
908caa03d3fb2a706314ae30f7c12ff3a12a0af28eac3f5f09d65571fbc14820

SHA512
6fc56423b44e682881e97a7d423690f9dbff43c714bd571b5c84ab8d8fafbfb198b8daed6ad9877656d75dc1fba0d8322de4e62efeb6ca34129d28473a4c10f9

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RJ8RXVZ1Y5COBI14C3PJ.temp

Filesize
8KB

MD5
156e48c5d012799229c47cddb5d0fae2

SHA1
be4a3b21bd643a7ad8fb4e9161650fd709563976

SHA256
21c0fd81f635903da048bef61e538938a41ea33a2b34c3d6e27794e3f0fb419e

SHA512
02b6ee58f6ee4f4bf70d1b760bd004eb352b0d29b9c6e46e702f88e78d91393ca7e18becf09c66b6cd4d98d97c4de2979a8c02549f428436741588b368945991

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

Filesize
84KB

MD5
81863dd9aa6d605e93564d0b195d7e95

SHA1
b9e899b6666d92d464b2f5a4b61680358bf4f270

SHA256
e647dc5fd1d1d5b1160ba8b24667fdd165be127b1abe1f8ef2ef82bb62b933a3

SHA512
18a88079e073cf4e04de2bb5894251bb54cc37fe8e16077d264277a7f032f592892bf87a4973e8860198a84698f759b98fabdcee9a83b540ce039a8f46479674

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
192B

MD5
7a7ef01d57010e5360c92dc98b972652

SHA1
3440da49ef226d2e85511740eac6aa05533c1752

SHA256
75a9e5a047592992d9f1d3c00f91de604bf710929cf219a1b56be70588ebcb4a

SHA512
8a9e5f6779c1b382566d99ccd1ae1f48d64cb28b1848390f4ab1985bcf5730234fec710a4419a934d468675b457aa1d2ee9bb818526b89d24081f41053a0ffe8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_08_07.log

Filesize
6KB

MD5
d18d502b2fb694e4822ab5861876309e

SHA1
01fd7ee60382084baa5f1798c669f26c9a01a2c0

SHA256
ab7e34b862d7f53638b02795642eab555928ecc43542696b398710d0271908c5

SHA512
c972ead8ce9b8f30d481800e687b9e45f78d6fcf3075227637d691b1241abd9b94ddb4edc712a8cff8b0f21384c0a3299f93e7bcb6362d46cd698caac5dc69de

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
a9abb496a57bc09171fd9115e99ac3f4

SHA1
4153d781cb356a0937690bb400414e0839cf796e

SHA256
cfe0ef427179e29fc195493d715e3bfb2d990a8db21908d0635589e544130a12

SHA512
a100826786f18f6961164d05a4a5f796dbf192cab6f5689c8aa0dbef3dd715dfc32d580d4edd54e37cd97f5e47b1256c6a0e8b6cfc7bf152314eb8e5873725ea

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
20KB

MD5
061192db9b76625d538828aa013791c9

SHA1
66b563ab3ba78484dffdc2f79ce63e5f038445e0

SHA256
6fc6a8a2873ab1482599cd0e1ad2ef2ee47dc57062bb3c417e773fa297841bb0

SHA512
fda268314693c7e5a2bdb423cf6deeb557bfd4be510a4f2c14826cd7115360164c64e987ab00f0ff412842767c9f9af05bca1365c05509698583f1c5754fe6bc

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
29KB

MD5
7470f86c1a7e03aecff03ad7483f0a10

SHA1
e30794a2ea8f2d29949b20671f11edd42086a58f

SHA256
ecba363882b1354e7b80a26dea5790d827d420ec949aaa3ba3d15b649ed6c2e7

SHA512
f1e66b98b2ad700623a14f936fc24276174bb0aad426a4cb4fd1dd3739078f6e39729bab01a0c7a4460c403dd5f3f5a32146cbbc5a1fab87a8699713afa86c43

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
48KB

MD5
984e0b5872affe670dc79f7492f0788f

SHA1
c826deec3d55a5435cc6e7a9aa952b94d0b2e5ff

SHA256
7e882ebeb15a623aefade33bacba367d2d0ca0b7ad53fad3f6aa48e69ffc88a3

SHA512
1490911f265b70ee94c5437797fdb22ac29ae7f8010c4a1921272519b7c2a1cee4153b82bee148830d82b5687fa14d6c3c13d10a05e8b433329a3d9c00d9a86b

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
98fc4319ec9e4e0d8fb2d80b8d0c28c4

SHA1
0c6c574bf6afaed924f3a405c0bff4c2e977527d

SHA256
70943a33957824c2ac4b4fad967c04a61ab0944efb463ee2136af7bf89b1455f

SHA512
a0e3cf2675abaa1823fe0deefbef4f8e19e741657c21a0c718a6d38547a8d28fb73f2cd8a4ab1495471168f5391a4771ecc631e6dc584073dc87faadd4bb60b4

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
45eba89473d014c8d833ed6b34d06505

SHA1
db590bef1c8af4901b4dc7a598e681b30fadfc93

SHA256
efe5f0505557175c4b09dd5aefd0eb515c0fc2928641de4f8458a8e90c774927

SHA512
9134fd620fe2b4471ec6ad3b402fb7e6a8f40423650b6eb584fa357cd2e559edc43d16fcc25ced283f1766bb4a11f6737f5ff3bc28c3a1d13524885495437bf1

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
c93e42a4639a863b13011b0ed94ede43

SHA1
a3aa84dd5af36bbffc84b0b2334f16466d2cf296

SHA256
5d7431ba6b51becc7a0ebcf9d2431c55c659abb3e09115793cc41f12198045d3

SHA512
3b39f9ad62c4a96e437a5109b5dfb48edb9e9d5f4e61152a23ebf482fd0d6b6e78e0dabb1cc2d6a772d71faf3b90909132f3d2f3289e45df9a1779377a9823cc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\Qt5SvgKso.dll

Filesize
390KB

MD5
1641d292bedddbb714b9c2add211329d

SHA1
b6838729ef5ca7d84529072067c82e92f6f7bfcf

SHA256
a485b16beddc820d099764543478b44f2644f3693b7133b692b575a115e48b43

SHA512
4297e4413eb919dbea68499f8bbb3e5bd771134a4e3cc47f24bc84e47c2b30d409176a03e7c840acdbea35b09c23aadfb6984980853e6a86bf8d539e59c062d5

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
d8517088384b4bbceaddbec91e5c0a4b

SHA1
be99021c12de9d3e353b59a9507fe1db8686cb3d

SHA256
2a0f41c83b2910a799b4a816cf373db4fe8be04bae67c743a12fa547c846f7c9

SHA512
8248c1204854d02acb6ef830d39c6dff5b362fd1f3b1ef9732794b461127e198d5c4b8fa6414765dd378b0a3bd67cbfad666ed631bc39a9ad24bca879ef312db

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
42a6bb191a0e7a9dcbe0f82507c9d0f9

SHA1
9ff27bde1579f189bef5d6f43bcbd4ea34bba276

SHA256
e1d09aad26998083bc1a17f203cd272f057ff6b61de50c50b8c1ba182ac66c30

SHA512
c7199769bba9e3eddd38aeb172b2ebd8574e4fc3984d0ff7c1b1bbc93ce72b3829b1e2c8c9122651dd0a5bb73c48364bbb232e6336a471e841c2bbdfff36a027

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
3c247d177e2c0a69d9210999d3818cd1

SHA1
ae024d717444631fc7006f888fb199bedca6cdc1

SHA256
87031506cf9ac73bbf0389a6869d2c444520aeb0533d0e8e9b83d50fbe9f0dd3

SHA512
a9b37b0e78bdea5ab304d5e359fc7e57e3af4eb74101536bc756ec430b1d9a7856c81e8d6d7a6c0ed15b48229ab98972a4c808de0402669d76e1151bf23d017e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
4024705136893daf28183cd025b6cdb6

SHA1
9abede94e6f15370f1dbf0563045c6639f028d72

SHA256
6894c28a1d19eb17228ccbc216a26575f2c25ef36d47c6796c6d5160583a7204

SHA512
5476496ce4118f3c4ccd8079e0a4a4dc86619f6f6ada1be2922ff6b9ba31775fee183da7ab7329b5e1d87328c56173ef22689134c7b4e56391a07f51dd313b24

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
4ae8c2aef0ced0107d35f1fb6fe196df

SHA1
238540a1b93cc2ac801b9dc44d18279f02233363

SHA256
d614f0fad7a265e2daa52a864822045d3ad8a8d9bf98c7fd84735414d20af251

SHA512
4adec56832fa5caee89669795c7f961627fa3b11712fb02e4fc2e45e2093c5956e764f3f1b77399abf162a734ef9909227b92a94eded9ccd98622e4ce22aa15d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
d159351f966fb545c60ee8ad1f27481e

SHA1
1fdc6ae0f926f7d0a80d9a6432918f8dee7bddef

SHA256
ceb1c200a1f09be8392d0ae69bd64fa8161e6fdcb729616e3d323d840fd2a02c

SHA512
444d846935575bc4d6f616bc9418fbd6dcddbad68309826b36820c05d6367d5dceadf8f615347dc61086476f3e54076182f4a6667aef7b1a4f2548932c4766b5

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
050dd1f2f92b972c2c2fe167af73f14b

SHA1
7452f3f57c5772532a1955d41888c6bc8a210554

SHA256
e5f8d2a772626ada3c0ff654f40e311e2476e1e17f9a040116b5751aec638c82

SHA512
6e6b3cb9c75d8e2d4c02917ce245772387d40de44ff5a43843ec78f57e6cfa4d895af57f6ab7d71b2674d7a0137576600d7e80b67ee1d6ea35144bb4f928929c

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f785090\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
memory/1516-4396-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1516-4393-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1516-4397-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1516-4392-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1516-4395-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1516-4394-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/1612-4658-0x000000006F760000-0x0000000070E37000-memory.dmp

Filesize
22.8MB

Download
memory/2308-4645-0x000000006F760000-0x0000000070E37000-memory.dmp

Filesize
22.8MB

Download
memory/2308-4639-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2308-4638-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2308-4640-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2308-4641-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2308-4642-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2308-4643-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2340-4568-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2340-4563-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2340-4564-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2340-4565-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2340-4566-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2340-4567-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4977-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4976-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4981-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4978-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4979-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2640-4980-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2736-199-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/2736-5000-0x0000000073C60000-0x0000000073D7F000-memory.dmp

Filesize
1.1MB

Download
memory/2988-4285-0x000000006C5A0000-0x000000006C5B0000-memory.dmp

Filesize
64KB

Download
memory/2988-4291-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2988-4290-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2988-4289-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2988-4288-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2988-4284-0x000000006F760000-0x0000000070E37000-memory.dmp

Filesize
22.8MB

Download
memory/2988-4287-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download
memory/2988-4286-0x000000006C590000-0x000000006C5A0000-memory.dmp

Filesize
64KB

Download