422fd6f376378ebb382843e9380b58f82aaa7a70a6587c4751f67fa291331bca

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Size

5.6MB
MD5

053bc2f48ebd02038c219f55462ae948
SHA1

054391d58bfb5860f7944bd00aa2a0084786addb
SHA256

422fd6f376378ebb382843e9380b58f82aaa7a70a6587c4751f67fa291331bca
SHA512

cdf902d3296d6f70433db6d3917a8711ee66bc649ffacebd7b86da5cf56c157e633438fd8b9cb24297e1f4da08b631bf3a738e5590f6bda54fa42950ffb28410
SSDEEP

98304:IeF0/sAT4mGfckjASn3ZCto1N1BpxgTuiN54AR6KPOvB/TmmU:LSsATN+V3k0pxMkARP4Q

Score

8^/10

bootkit discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
52	4656	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
File opened for modification	\??\PhysicalDrive0	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Executes dropped EXE 15 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2912	ksomisc.exe
1544	wpscloudsvr.exe
4904	ksomisc.exe
1916	ksomisc.exe
2068	ksomisc.exe
4980	wps.exe
1096	wps.exe
4496	wps.exe
4620	wpsupdate.exe
2024	wpscloudsvr.exe
4912	wpsupdate.exe
4972	wpscloudsvr.exe
3540	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
4228	regsvr32.exe
4120	regsvr32.exe
3720	regsvr32.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{842C37FE-C76F-4B2B-9B60-C408CB5E838E}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\KWPP.OutwardPresentation.9\shell\ = "open"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\KWPP.Template.9\CLSID\ = "{44720444-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00024439-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{DB77D541-85C3-42E8-8649-AFBD7CF87866}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000C0339-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000C1530-0000-0000-C000-000000000046}\ = "OfficeDataSourceObject"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{00020985-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{02B17CB4-7D55-4B34-B38B-10381433441F}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00020962-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\ = "RefEdit.Ctrl"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ET.Xls.6\shell\print\ = "&Print"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000C03B2-0000-0000-C000-000000000046}\ = "TextColumn2"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000C037F-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00020950-0000-0000-C000-000000000046}\ = "Row"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{B140A023-4850-4DA6-BC5F-CC459C4507BC}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{DF076FDE-8781-4051-A5BC-99F6B7DC04D4}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{4A0B7C7D-89A2-4203-A9B9-970EEF304106}\ = "WaterMarks"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WPP.PPTM.6\shell	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{0002095B-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000209E4-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.175\\office6\\WPSOFF~1.DLL,27"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{91493467-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00020859-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{7B648A37-4035-427E-B764-0D8B0F683F9C}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{00020858-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000208A2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000C0320-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000C1712-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000209AB-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00020949-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00024444-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{00024446-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000208A4-0000-0000-C000-000000000046}\ = "TextBox"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{0002099B-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{00020975-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000244BC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{FD1AEC82-85C4-4FFE-9259-E061915FEC9D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.xls\ET.Xls.6\ShellNew	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\DefaultIcon	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\KET.UOFWorkbook\CurVer\ = "KET.UOFWorkbook.9"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{00024436-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000244A8-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{0002087D-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{0002E160-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000C0398-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000244C7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000244E2-0000-0000-C000-000000000046}	ksomisc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{000C0399-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000C0363-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{00020897-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\wps.exe\shell\open	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000209FE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\DefaultExtension\ = ".et, WPS Spreadsheets Workbook (.et)"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{000244CF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WPS.PIC.svgz\shell	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{9149349B-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\Interface\{0002442B-0000-0000-C000-000000000046}\ = "Parameters"	ksomisc.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\FlightRoot	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedDevices	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TestSignRoot	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\FlightRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedDevices	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedDevices	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TestSignRoot	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\FlightRoot	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\SystemCertificates\TestSignRoot	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2912	ksomisc.exe
4904	ksomisc.exe
1916	ksomisc.exe
2068	ksomisc.exe
4620	wpsupdate.exe
4912	wpsupdate.exe
3540	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
1544	wpscloudsvr.exe
1544	wpscloudsvr.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeDebugPrivilege	2912	ksomisc.exe
Token: SeLockMemoryPrivilege	2912	ksomisc.exe
Token: SeDebugPrivilege	4904	ksomisc.exe
Token: SeLockMemoryPrivilege	4904	ksomisc.exe
Token: SeDebugPrivilege	1916	ksomisc.exe
Token: SeLockMemoryPrivilege	1916	ksomisc.exe
Token: SeDebugPrivilege	2068	ksomisc.exe
Token: SeLockMemoryPrivilege	2068	ksomisc.exe
Token: SeLockMemoryPrivilege	4620	wpsupdate.exe
Token: SeLockMemoryPrivilege	4912	wpsupdate.exe
Token: SeDebugPrivilege	3540	ksomisc.exe
Token: SeLockMemoryPrivilege	3540	ksomisc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2068	ksomisc.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
2912	ksomisc.exe
1916	ksomisc.exe
1916	ksomisc.exe
2068	ksomisc.exe
2068	ksomisc.exe
4620	wpsupdate.exe
4620	wpsupdate.exe
4912	wpsupdate.exe
4912	wpsupdate.exe
4904	ksomisc.exe
4904	ksomisc.exe
4904	ksomisc.exe
3540	ksomisc.exe
3540	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 2204	3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	85
PID 3316 wrote to memory of 2204	3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	85
PID 3316 wrote to memory of 2204	3316	2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe	85
PID 2204 wrote to memory of 1544	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	92
PID 2204 wrote to memory of 1544	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	92
PID 2204 wrote to memory of 1544	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	92
PID 2912 wrote to memory of 4228	2912	ksomisc.exe	93
PID 2912 wrote to memory of 4228	2912	ksomisc.exe	93
PID 2912 wrote to memory of 4228	2912	ksomisc.exe	93
PID 2912 wrote to memory of 4120	2912	ksomisc.exe	94
PID 2912 wrote to memory of 4120	2912	ksomisc.exe	94
PID 2912 wrote to memory of 4120	2912	ksomisc.exe	94
PID 4120 wrote to memory of 3720	4120	regsvr32.exe	95
PID 4120 wrote to memory of 3720	4120	regsvr32.exe	95
PID 2204 wrote to memory of 4904	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	96
PID 2204 wrote to memory of 4904	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	96
PID 2204 wrote to memory of 4904	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	96
PID 2204 wrote to memory of 1916	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	97
PID 2204 wrote to memory of 1916	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	97
PID 2204 wrote to memory of 1916	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	97
PID 4164 wrote to memory of 2068	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	98
PID 4164 wrote to memory of 2068	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	98
PID 4164 wrote to memory of 2068	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	98
PID 2912 wrote to memory of 4980	2912	ksomisc.exe	99
PID 2912 wrote to memory of 4980	2912	ksomisc.exe	99
PID 2912 wrote to memory of 4980	2912	ksomisc.exe	99
PID 4980 wrote to memory of 1096	4980	wps.exe	100
PID 4980 wrote to memory of 1096	4980	wps.exe	100
PID 4980 wrote to memory of 1096	4980	wps.exe	100
PID 4980 wrote to memory of 4496	4980	wps.exe	101
PID 4980 wrote to memory of 4496	4980	wps.exe	101
PID 4980 wrote to memory of 4496	4980	wps.exe	101
PID 4164 wrote to memory of 2016	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	103
PID 4164 wrote to memory of 2016	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	103
PID 4164 wrote to memory of 2016	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	103
PID 2016 wrote to memory of 2240	2016	regsvr32.exe	104
PID 2016 wrote to memory of 2240	2016	regsvr32.exe	104
PID 2912 wrote to memory of 4656	2912	ksomisc.exe	105
PID 2912 wrote to memory of 4656	2912	ksomisc.exe	105
PID 2912 wrote to memory of 4656	2912	ksomisc.exe	105
PID 2912 wrote to memory of 4656	2912	ksomisc.exe	105
PID 4164 wrote to memory of 4620	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	107
PID 4164 wrote to memory of 4620	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	107
PID 4164 wrote to memory of 4620	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	107
PID 4620 wrote to memory of 2024	4620	wpsupdate.exe	108
PID 4620 wrote to memory of 2024	4620	wpsupdate.exe	108
PID 4620 wrote to memory of 2024	4620	wpsupdate.exe	108
PID 4164 wrote to memory of 4912	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	109
PID 4164 wrote to memory of 4912	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	109
PID 4164 wrote to memory of 4912	4164	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	109
PID 4912 wrote to memory of 4972	4912	wpsupdate.exe	110
PID 4912 wrote to memory of 4972	4912	wpsupdate.exe	110
PID 4912 wrote to memory of 4972	4912	wpsupdate.exe	110
PID 2204 wrote to memory of 3064	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	111
PID 2204 wrote to memory of 3064	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	111
PID 2204 wrote to memory of 3064	2204	19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe	111
PID 4904 wrote to memory of 3596	4904	ksomisc.exe	112
PID 4904 wrote to memory of 3596	4904	ksomisc.exe	112
PID 4904 wrote to memory of 3596	4904	ksomisc.exe	112
PID 4904 wrote to memory of 3668	4904	ksomisc.exe	113
PID 4904 wrote to memory of 3668	4904	ksomisc.exe	113
PID 4904 wrote to memory of 3668	4904	ksomisc.exe	113
PID 3668 wrote to memory of 436	3668	regsvr32.exe	114
PID 3668 wrote to memory of 436	3668	regsvr32.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_053bc2f48ebd02038c219f55462ae948_avoslocker_hijackloader_magniber_revil.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
  C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1544
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -installregister sharedMemory_message_E5C1A46
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
        5⤵
        
        PID:436
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -sendinstalldyn 5
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1916
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3540

C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\19e36659ac057714c9efe268e01c865b-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E5BACA8 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kwpsmenushellext64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:2240
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe" /from:setup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpsupdate.exe" -createtask
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4972

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe" -installregister sharedMemory_message_E5BFF0D -forceperusermode
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4228
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kmso2pdfplugins64.dll"
    3⤵
    - Loads dropped DLL
    PID:3720
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1096
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.17545/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=4980 /prv
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
98fc4319ec9e4e0d8fb2d80b8d0c28c4

SHA1
0c6c574bf6afaed924f3a405c0bff4c2e977527d

SHA256
70943a33957824c2ac4b4fad967c04a61ab0944efb463ee2136af7bf89b1455f

SHA512
a0e3cf2675abaa1823fe0deefbef4f8e19e741657c21a0c718a6d38547a8d28fb73f2cd8a4ab1495471168f5391a4771ecc631e6dc584073dc87faadd4bb60b4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\Qt5XmlKso.dll

Filesize
170KB

MD5
af7aae83c77724c0a2a4b85f5d271f93

SHA1
465287d217cae3910d70eb694ae7d59cf6339cd3

SHA256
1be3a2aa30680faecf57b618b24f845be6623b3cff0798303259063e4038024d

SHA512
63c2bad69ac8bd4493d8b11a8ac9ec4fad44fb952641869a5a788569a38c00bbea514c5ed0d5da47fb78ca9a65c7fc2441243a23482639d71575b76ffba009a0

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\cfgs\setup.cfg

Filesize
434B

MD5
fefcf071a7095979ab7dd4250e4f90e1

SHA1
32e54bd7ed424fdabed8731f2712c826baafed02

SHA256
5b7ef3a39ef8bc5c55f7f3e5fc52e3091dbc11ce8dbeb75280cad1a838d98c03

SHA512
304c44927033ec7c61406d819e3c55f5ace4915deb080cccbc717815e3b4768f4ee5bba74ce36d39d90134259d717ad62635140c2ffe650c9eba9546b44df40d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kbase.dll

Filesize
170KB

MD5
190a0b443393ca613aa5fa8bb4890d01

SHA1
0a1bb4b9f23f8af048216c0e65c21a5b899d77e6

SHA256
5856fd6980ef196e90d8d2e5064cc27fef22a6b01efc0631ca1e2a8a1c10b262

SHA512
9f672d13f197ef9755dee600a5660cd3b7c42e545a4d700722e190af4a063ee4006a80a6b5f13888dfba84e08a5c98fb1e975458164a1534e9622b3a18f78576

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kdownload.dll

Filesize
427KB

MD5
0e3a94307f4b4e352a334a499fdaaf12

SHA1
0310f39afc0948adb40366482f3b712f906ba862

SHA256
cd24e8f709b415d2e5474edd93f212de0993cd21ee6341ac24d78030040e31a3

SHA512
8f60d2d9783a9d304d743216cecd650e7bd3652580b4547d73b0db676d51a823ba38218ebb3ff82bad20e75be333dd896a4d567d6125d35fdcfe990b13e9a4a6

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kprometheus.dll

Filesize
7.0MB

MD5
558b9a553b6fa2c05e2b0ccd58bd2e2b

SHA1
afee1baac4f8ff6b8590e1212791620bfa769ea4

SHA256
cc6f6d5c71d39a429fba577c9c1571dd5ef60360b7de04520f3fff1591886eee

SHA512
95c933d4f56cbea002d004d040f34e98389c490cdcfdaa608dea76ab6870c9927123e42b70f419a4af852d136f28126dc47acbba9ff5fd0935acc5946e7c54f1

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\krt.dll

Filesize
1.1MB

MD5
ca4e53db011446db2a95b5874a35901b

SHA1
ce0c62def48311135bdd77a5adc08384fc127ebd

SHA256
a33b55dfa43b63ca08efe23519d1200cdd51cb5e9d09b0f12e95fec91d1440b1

SHA512
51d530e654f4f25ce92404c6de657550b7baa7b7eb84bb2bf8ebf9776f5970f7dcef0e4a2b9daa0c53dceed11c814a17a042b0e612563ac43419820c96b952ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kshell.dll

Filesize
22.7MB

MD5
6a8cffb7ec165447f6c494972ffc580d

SHA1
7f25abd1d1c518cf1dec5653954476ef00b5a6b6

SHA256
2271e503af641b1953f177c70c93d86358d2af438e820288bfdee01f59d1fd07

SHA512
bbeff77d50bb6167c1432ca60e8c2adda6695225c5690d0301b443a4392cd2c82e27252c0660da69a875f130439767c22453d944de7b9ea2af812aee0b234f1c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\kso.dll

Filesize
24.6MB

MD5
a6f18e189caf04e84b8f5d219fb9af9d

SHA1
d314d757550a766a3448649fd5bbe8d87fe0cebe

SHA256
3c00c7309fc8b6c55038ad7c31c38b4baa94aeb319b57e802d0da93380f85be2

SHA512
42c5a32682b23ca282ee7554d592e7ed8d87b310b68fc04424d2d3559bbc7e91b6ec98c61cc4b3fa4947e88cf4244e42e6edcc1c9eeb736628243db32fc6faa3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksolite.dll

Filesize
9.5MB

MD5
771473d031e5cba3f914f2c0da09acaf

SHA1
9aa31942c633ff968ea0ba3e5fafb5c56fe00ac9

SHA256
e074ddcb67c7a67e2b98b3a17c0bd1dcd9b95139208e49e243d42c00ae472724

SHA512
3106b37124c834945d9a658e078e80a66c5a5310de3cd7796e61e7e2949d3c05e884b3372b10bb857142db6c28a4f19d85b812346413c6f33c51791d73f1ad9d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksomisc.exe

Filesize
3.0MB

MD5
7bb2f1b65aa59efd5c5d5c55c8abb4bd

SHA1
bc5d63b0a3deafd23c381f4aa4c00087169f2b1e

SHA256
46bf0a723e62b0b7690e817c689a61e565d171566241378967853f8141d2ead0

SHA512
68e4813c6bd06d90fc0ab96b0dad0e58c6bcf8ac3e7c938d2074a92785b3248aa9c5e66f9fa4ba08b5b2139d5073f91fa816582916e52dc1d9212245b81a081b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\ksouil.dll

Filesize
1.8MB

MD5
4fd76ccd8d441d9d87dd8aeccd0ac7eb

SHA1
aa01ba71a8d77a8c9d095bdacf8771733b1445d2

SHA256
52a6ae2388e711667714625e08670232565c63d92527caaaa9d023ee55f3999d

SHA512
440e5431d1bd7a7700f817fe30862cb9bf4106223342151c9c41c2d6aef0c124836af9b631fc9f9117b260faee9b73403b573da448ae15b8e3f524a1cb5153b1

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\libcurl.dll

Filesize
506KB

MD5
b930492e0c2256c3bf6c11187a944274

SHA1
b36c38bbd2ae472c2f76a227258fb2c2a4caac77

SHA256
6bb0229ef28c8388c33ce63b967cd77fef4de3212c3a8da38abb8276ad0be6c7

SHA512
2377a60778504a3f3565729998b275a6724206823ecd68c0c2decb75a3b073362bb2310592f980b0d7d5a4ead0523829863586e3346aff39606f6215524c6281

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
b6c09edb687fc466082ba988b380460d

SHA1
a89dcf546009a17cfba9f2ed9c553902cd28ab74

SHA256
08695bd8865f96f23d3d164de9c3cfe499c051e7906fa4876c1634439f18b05d

SHA512
6b002547c8ef2e978cbce8625b1e9ca94d9c7b0e2bba40ac6dda4fcb70145f3384348d81b38290bfbfd823af6018c0b61a8ef21002280242a6de04586da43f4d

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\office6\wpscloudsvr.exe

Filesize
881KB

MD5
164a06049fa28665d2aa4f2a9b61f2ab

SHA1
3b319684edb6a391594c093f0148c2846f862e43

SHA256
b158fb27a7aeffbb1c808ca8877ddc8b62b0ed6ebc1424273f6c0be127cd4142

SHA512
dcb841a9c26c760c15a2bcf28a278e08ee11eceeeffc8edf2892701f22023c0016f566aa9fe5dea4ad19a56efa367b2cb8ac1de8b2bdba366758eb440d27a3fd

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\utility\install.ini

Filesize
530B

MD5
0be87878bccdc39958a0406f9a33ef7d

SHA1
79cfa6a1f07b531fb7faf1be0352cf96333ac909

SHA256
23a9e27273dd180b16aa64cbc23502885ddbe2c1608509fc28cefdc19e2353b9

SHA512
f48569f8f9163a47473f918b533fdf36347ae0ed751a27025c20eac3cc2bf3be342844ced15774fabddf4232433f9a37c487bbe11bda509c922602a06dac92d8

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.17545\utility\install.ini

Filesize
675B

MD5
0cb3fdae1d22f84423b723505bbe84a9

SHA1
f15cd5dfe4d5c618983309b886b92cad4463d607

SHA256
33737bdc5de919d62a2dfe2458bb6d154c58019063fd8d5057643d1bc0d1963a

SHA512
8a79a44191dc4588464e9b2a93cd8401f1a6fbca86d96e9bc34a7e1fa2ce1ee76710a348f99d0661b2c87831601f1db87df057171afcc6c47eeba793f111cfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
1315552c05acc5d67709fb5d49bdd013

SHA1
3e7427d46895de19c06cff04a725b055615343d1

SHA256
37e940a0ebb603db9b6893fe17152fe29ae3ab3d73c5d35954ee50929de3c922

SHA512
f9241b6162672d0584b33adec4716d15e55116c780d2d4985db7037b95784d0c3978aa85df0b6fc65845a69fa561448cf4e6fcd0a1a7aeb8f23da4929c2120c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
45eba89473d014c8d833ed6b34d06505

SHA1
db590bef1c8af4901b4dc7a598e681b30fadfc93

SHA256
efe5f0505557175c4b09dd5aefd0eb515c0fc2928641de4f8458a8e90c774927

SHA512
9134fd620fe2b4471ec6ad3b402fb7e6a8f40423650b6eb584fa357cd2e559edc43d16fcc25ced283f1766bb4a11f6737f5ff3bc28c3a1d13524885495437bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
c93e42a4639a863b13011b0ed94ede43

SHA1
a3aa84dd5af36bbffc84b0b2334f16466d2cf296

SHA256
5d7431ba6b51becc7a0ebcf9d2431c55c659abb3e09115793cc41f12198045d3

SHA512
3b39f9ad62c4a96e437a5109b5dfb48edb9e9d5f4e61152a23ebf482fd0d6b6e78e0dabb1cc2d6a772d71faf3b90909132f3d2f3289e45df9a1779377a9823cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\Qt5SvgKso.dll

Filesize
390KB

MD5
1641d292bedddbb714b9c2add211329d

SHA1
b6838729ef5ca7d84529072067c82e92f6f7bfcf

SHA256
a485b16beddc820d099764543478b44f2644f3693b7133b692b575a115e48b43

SHA512
4297e4413eb919dbea68499f8bbb3e5bd771134a4e3cc47f24bc84e47c2b30d409176a03e7c840acdbea35b09c23aadfb6984980853e6a86bf8d539e59c062d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
d8517088384b4bbceaddbec91e5c0a4b

SHA1
be99021c12de9d3e353b59a9507fe1db8686cb3d

SHA256
2a0f41c83b2910a799b4a816cf373db4fe8be04bae67c743a12fa547c846f7c9

SHA512
8248c1204854d02acb6ef830d39c6dff5b362fd1f3b1ef9732794b461127e198d5c4b8fa6414765dd378b0a3bd67cbfad666ed631bc39a9ad24bca879ef312db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
42a6bb191a0e7a9dcbe0f82507c9d0f9

SHA1
9ff27bde1579f189bef5d6f43bcbd4ea34bba276

SHA256
e1d09aad26998083bc1a17f203cd272f057ff6b61de50c50b8c1ba182ac66c30

SHA512
c7199769bba9e3eddd38aeb172b2ebd8574e4fc3984d0ff7c1b1bbc93ce72b3829b1e2c8c9122651dd0a5bb73c48364bbb232e6336a471e841c2bbdfff36a027

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
56d017aef6a7c74cd136f2390b8ea6d3

SHA1
46cc837c64abe4e757e66a24ece56e3f975e9ef6

SHA256
900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

SHA512
7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
3c247d177e2c0a69d9210999d3818cd1

SHA1
ae024d717444631fc7006f888fb199bedca6cdc1

SHA256
87031506cf9ac73bbf0389a6869d2c444520aeb0533d0e8e9b83d50fbe9f0dd3

SHA512
a9b37b0e78bdea5ab304d5e359fc7e57e3af4eb74101536bc756ec430b1d9a7856c81e8d6d7a6c0ed15b48229ab98972a4c808de0402669d76e1151bf23d017e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
4024705136893daf28183cd025b6cdb6

SHA1
9abede94e6f15370f1dbf0563045c6639f028d72

SHA256
6894c28a1d19eb17228ccbc216a26575f2c25ef36d47c6796c6d5160583a7204

SHA512
5476496ce4118f3c4ccd8079e0a4a4dc86619f6f6ada1be2922ff6b9ba31775fee183da7ab7329b5e1d87328c56173ef22689134c7b4e56391a07f51dd313b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
4ae8c2aef0ced0107d35f1fb6fe196df

SHA1
238540a1b93cc2ac801b9dc44d18279f02233363

SHA256
d614f0fad7a265e2daa52a864822045d3ad8a8d9bf98c7fd84735414d20af251

SHA512
4adec56832fa5caee89669795c7f961627fa3b11712fb02e4fc2e45e2093c5956e764f3f1b77399abf162a734ef9909227b92a94eded9ccd98622e4ce22aa15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
d159351f966fb545c60ee8ad1f27481e

SHA1
1fdc6ae0f926f7d0a80d9a6432918f8dee7bddef

SHA256
ceb1c200a1f09be8392d0ae69bd64fa8161e6fdcb729616e3d323d840fd2a02c

SHA512
444d846935575bc4d6f616bc9418fbd6dcddbad68309826b36820c05d6367d5dceadf8f615347dc61086476f3e54076182f4a6667aef7b1a4f2548932c4766b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
71KB

MD5
1312a0c4afe688cdd36fd7a3960fc215

SHA1
c4a55a01c99d48387b8a282db75399a28c704837

SHA256
b64bd771357cbbe6ce3e56858c6204f1b2ea0d0571852c352659c25c4cf8d76e

SHA512
672b3fd7bd21a2e3ef7d0ca74f7adbed839f5fd162c01783fe83507874f2db136112263912340f37f1eb8f4d3dc7f8a709ff1d4d0697edefe2085125f26e8f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
050dd1f2f92b972c2c2fe167af73f14b

SHA1
7452f3f57c5772532a1955d41888c6bc8a210554

SHA256
e5f8d2a772626ada3c0ff654f40e311e2476e1e17f9a040116b5751aec638c82

SHA512
6e6b3cb9c75d8e2d4c02917ce245772387d40de44ff5a43843ec78f57e6cfa4d895af57f6ab7d71b2674d7a0137576600d7e80b67ee1d6ea35144bb4f928929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5baa27\CONTROL\product.dat

Filesize
118KB

MD5
61bb8ee449b2f02bea213af64534580a

SHA1
032a8127561b9edad1a0ee4e74d26dfa8bae0c10

SHA256
908caa03d3fb2a706314ae30f7c12ff3a12a0af28eac3f5f09d65571fbc14820

SHA512
6fc56423b44e682881e97a7d423690f9dbff43c714bd571b5c84ab8d8fafbfb198b8daed6ad9877656d75dc1fba0d8322de4e62efeb6ca34129d28473a4c10f9

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JV3EXKX6POHOVY54J9KO.temp

Filesize
8KB

MD5
468ef0e3090026a7a101c000f2d6d7e2

SHA1
e69af7732b3c0750982b5ce9dd4335e606a30646

SHA256
53652be03937c21da431b24ef95f7b5c10eea2c81d53b7b3c060c25ed0dc073c

SHA512
1eaede484f4470a880821c1bb0dfe291acc9e18343609cc7e6a23b890d66f8f2744d365a2250bb3e8e5d45f7dfb7a2827eb6bfa416425add15b7e631b7eec54a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

Filesize
84KB

MD5
81863dd9aa6d605e93564d0b195d7e95

SHA1
b9e899b6666d92d464b2f5a4b61680358bf4f270

SHA256
e647dc5fd1d1d5b1160ba8b24667fdd165be127b1abe1f8ef2ef82bb62b933a3

SHA512
18a88079e073cf4e04de2bb5894251bb54cc37fe8e16077d264277a7f032f592892bf87a4973e8860198a84698f759b98fabdcee9a83b540ce039a8f46479674

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
192B

MD5
2c2bed57fe4d257f2af0956008533918

SHA1
23af588ea703b727dfe1b86688137ed58daf50ab

SHA256
3e2f27f7ae5caf6a44497fa5b8a7c3a10d79b4ca924140c19311b8a70536b48e

SHA512
8851ea5f02792244c49e030edcc59db423e37dc085a8e539ee5561166fbd57255a6f85600c88d08b06f73f1c3805b9af4f27cc96a6b9f22b9d06e22b567bf207

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_08_07.log

Filesize
4KB

MD5
b4aa7b15fe94521d8f28877b39724e37

SHA1
b76a40051c90836e33127b5a9ad7ce0f03643c5f

SHA256
54f38ce9b45bd52c0e5546086e7a4d785de742c6b34eef53e78a50b3ac0e45e6

SHA512
c3ef10f4ea6f194c9b382a6fb599046e77444023f3f5910675ba6ab2bd1cfb00bb36cb38358ede442d5420202c72e31ac9a055dfc11cca81fc57c59b9dc0e679

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_08_07.log

Filesize
6KB

MD5
dbcd701970593e6a5ab770ffd7945533

SHA1
a2dec49b8c061c18e29cda21384a7e4ad1cedd37

SHA256
5fdbb1da17c305617b7b38f2fd15d79a6574e0c381d33e992f38742f46283b2a

SHA512
d036d185567b0ece48478504c7c455518f4f17d71b33e5c0e55bd400fc2a431cde3a637a3d2a2b4b819383c729a0eddf009a81f1e4e060b00d290fc1cd62c5fa

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
e582b6498622d3f06ceafc5c25c69fe4

SHA1
43eb4e850584f4439d36b57934d605c770c05ad3

SHA256
fba65227d0bba1cc22ba66b3f5161747888a20c41eb0c0cb223f307cb49f05de

SHA512
644a7ff2c5afc0248ec38bf598525285b8fa190b627eb222701dbd7f159ce79c8711a9646a629fe66ad5026c29de6d8fd141b6ad5c558a577d36953e185c5036

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
626c1343723da10071293943abb777fe

SHA1
b0810ff7de1fce8abd23a6c215d5501402d639ae

SHA256
e966507e82011c95220eb101bfbe41f8a99cb4e170b4ab5d63827f01f5aedad3

SHA512
08b783f8c08b9b526b2816cb81f181fe4d90a145bcf021a2c68e407832630712420e9813de8dc9982571ec4533ab3d841a9a471c3204bc08097e6e9d66b85f85

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
742B

MD5
27590ab5120438e1de669f9fc4a3481b

SHA1
93307c33bd713d7f6dbe7da91a0c755fc3f06649

SHA256
26129a8d691adc26fb8ec663f214bf50a0a5614862daa0e454dc915a00a7c228

SHA512
64815c480e22b336aef4d57cd16cf0909e194c6c3e3ac389bc4dfd9dd818417b93356248254afc617134956d9415a1d04e2ae6f1ef64cf70f0c6005691ac3e04

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
30KB

MD5
71cf4192b828c8350b7d296d75d5c534

SHA1
6f56856226aeb2facdcbfec18df1bafc5174f5f7

SHA256
fc99c6b5eb398a460ef4cb04a13277bb2d15934055ee98a32e2ad30ca15b69fb

SHA512
0d15341688993b7c2704064c779c62789aa5db409cb89d0cb09cc30990e02809f7aeb948284247367253e2e814189d6e05d289ffbd2706fb391166c13e48932c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
48KB

MD5
1275c5ada9fb22908fcd9a2369d9f0cf

SHA1
960e095b0468953aa08ed4bab7fc45f3a6fa0a5f

SHA256
89eeb5fa406b47202f12c33d14070078d29f9597e4c1e7b63e7176f74a803c98

SHA512
fb9b1980401956b85b3cb2fa25cd43c356ed687a7fb19c2dc689268894b6ea0c04796a90f4d796df530a5aaa85bc8bd8dbd04e32d8039db0762b13a4a9e8c1c0

Download Submit
memory/1916-4551-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4546-0x000000006D8B0000-0x000000006DFB0000-memory.dmp

Filesize
7.0MB

Download
memory/1916-4550-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4549-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4548-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4545-0x000000006F850000-0x0000000070F27000-memory.dmp

Filesize
22.8MB

Download
memory/1916-4589-0x0000000001650000-0x0000000001667000-memory.dmp

Filesize
92KB

Download
memory/1916-4552-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4553-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4554-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4555-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/1916-4544-0x000000006E910000-0x000000006F2A3000-memory.dmp

Filesize
9.6MB

Download
memory/2068-4580-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4574-0x000000006E910000-0x000000006F2A3000-memory.dmp

Filesize
9.6MB

Download
memory/2068-4652-0x00000000013D0000-0x00000000013E7000-memory.dmp

Filesize
92KB

Download
memory/2068-4575-0x000000006D8B0000-0x000000006DFB0000-memory.dmp

Filesize
7.0MB

Download
memory/2068-4577-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4578-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4579-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4581-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4582-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4583-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4584-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2068-4572-0x000000006F850000-0x0000000070F27000-memory.dmp

Filesize
22.8MB

Download
memory/2912-4319-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4320-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4316-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4317-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4318-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4314-0x000000006D8B0000-0x000000006DFB0000-memory.dmp

Filesize
7.0MB

Download
memory/2912-4312-0x000000006E910000-0x000000006F2A3000-memory.dmp

Filesize
9.6MB

Download
memory/2912-4313-0x000000006F850000-0x0000000070F27000-memory.dmp

Filesize
22.8MB

Download
memory/2912-4323-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4315-0x000000006BB60000-0x000000006BB70000-memory.dmp

Filesize
64KB

Download
memory/2912-4322-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/2912-4321-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4417-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4410-0x000000006F850000-0x0000000070F27000-memory.dmp

Filesize
22.8MB

Download
memory/4904-4409-0x000000006D8B0000-0x000000006DFB0000-memory.dmp

Filesize
7.0MB

Download
memory/4904-4412-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4415-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4414-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4413-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4416-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4419-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4418-0x000000006BB50000-0x000000006BB60000-memory.dmp

Filesize
64KB

Download
memory/4904-4408-0x000000006E910000-0x000000006F2A3000-memory.dmp

Filesize
9.6MB

Download
memory/4980-4662-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4661-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4665-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4664-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4670-0x000000006D8B0000-0x000000006DFB0000-memory.dmp

Filesize
7.0MB

Download
memory/4980-4671-0x000000006E910000-0x000000006F2A3000-memory.dmp

Filesize
9.6MB

Download
memory/4980-4669-0x000000006F850000-0x0000000070F27000-memory.dmp

Filesize
22.8MB

Download
memory/4980-4666-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4667-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4668-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download
memory/4980-4663-0x000000006E510000-0x000000006E520000-memory.dmp

Filesize
64KB

Download