Analysis
-
max time kernel
111s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
wps_lid.lid-e8BnL2v7Bbrm.exe
Resource
win10v2004-20241007-en
General
-
Target
wps_lid.lid-e8BnL2v7Bbrm.exe
-
Size
5.5MB
-
MD5
f4adec8ff71b27363ad91be552df4f1e
-
SHA1
374f3f3c88856eb4965474a48a7ec75f4e8c2de0
-
SHA256
7be6628a085b244b6478dd8bf1a6074aa83fea23671d70662a50aa8b5292fe56
-
SHA512
690a9622a5fe3d1f96efefcd753395557b6254a71c7dbce82e447cfe3fbfbc18781cb94477bf75504722ca66b3999c6d5b37c2ecc69be3cdb32760f497ed777e
-
SSDEEP
98304:hrI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4sdw0dGzB/1X:iXGULEFrcPJzAxf4+FGVF
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wps_lid.lid-e8BnL2v7Bbrm.exe File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe File opened for modification \??\PhysicalDrive0 ksomisc.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wpsupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wpsupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wps_lid.lid-e8BnL2v7Bbrm.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ksomisc.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -
Executes dropped EXE 37 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 ksomisc.exe 752 ksomisc.exe 1240 ksomisc.exe 1616 wpscloudsvr.exe 3256 ksomisc.exe 4440 ksomisc.exe 3236 ksomisc.exe 5068 ksomisc.exe 1908 ksomisc.exe 400 ksomisc.exe 4508 ksomisc.exe 1956 ksomisc.exe 3236 ksomisc.exe 1564 ksomisc.exe 4392 wps.exe 3520 wps.exe 1084 wps.exe 5016 ksomisc.exe 3992 ksomisc.exe 2468 ksomisc.exe 4820 ksomisc.exe 876 ksomisc.exe 748 ksomisc.exe 4152 ksomisc.exe 5012 wpsupdate.exe 2776 wpscloudsvr.exe 3764 wpsupdate.exe 2012 wpscloudsvr.exe 4468 ksomisc.exe 440 ksomisc.exe 2316 ksomisc.exe 972 ksomisc.exe 1656 ksomisc.exe 2980 ksomisc.exe 4316 ksomisc.exe -
Loads dropped DLL 64 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" regsvr32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 44 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps_lid.lid-e8BnL2v7Bbrm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020852-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03CE-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0366-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244CF-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002086A-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244AD-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0316-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03BC-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000208B2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\0\ = "&Edit,0,2" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ = "Sequence" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{914934D3-5A91-11CF-8700-00AA0060263B} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000CDB0A-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020958-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000209F6-0000-0000-C000-000000000046}\ = "DocumentEvents" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002443F-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.MOBI.9\ = "MOBI 文件" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031B-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03A4-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244B2-0000-0000-C000-000000000046}\ = "ChartFormat" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024444-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C172C-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C171B-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.PIC.xmind\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\addons\\photo\\photo.dll,20" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097D-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002097E-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000208C4-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002446A-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\MiscStatus\ = "0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0370-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024448-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002089E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ = "ResampleMediaTasks" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002444C-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020868-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244AD-0000-0000-C000-000000000046}\ = "ColorStop" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C031F-0000-0000-C000-000000000046}\ = "TextEffectFormat" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002095B-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPP.Presentation.12\shell\open ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020843-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024463-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C1726-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020880-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A47}\InprocHandler32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020969-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244A9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024464-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{A43788C1-D91B-11D3-8F39-00C04F3651B8}\ = "IRTDUpdateEvent" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000CDB0A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.Application.9\ = "WPS Writer Application Class" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C03E4-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0C6FA8CA-E65F-4FC7-AB8F-20729EECBB14}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B} ksomisc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices wps_lid.lid-e8BnL2v7Bbrm.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -
Suspicious behavior: AddClipboardFormatListener 30 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 ksomisc.exe 752 ksomisc.exe 1240 ksomisc.exe 3256 ksomisc.exe 4440 ksomisc.exe 3236 ksomisc.exe 5068 ksomisc.exe 1908 ksomisc.exe 400 ksomisc.exe 4508 ksomisc.exe 1956 ksomisc.exe 3236 ksomisc.exe 1564 ksomisc.exe 5016 ksomisc.exe 3992 ksomisc.exe 2468 ksomisc.exe 4820 ksomisc.exe 876 ksomisc.exe 748 ksomisc.exe 4152 ksomisc.exe 5012 wpsupdate.exe 3764 wpsupdate.exe 4468 ksomisc.exe 440 ksomisc.exe 2316 ksomisc.exe 972 ksomisc.exe 1656 ksomisc.exe 2980 ksomisc.exe 4316 ksomisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 116 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1616 wpscloudsvr.exe 1616 wpscloudsvr.exe 3256 ksomisc.exe 3256 ksomisc.exe 3256 ksomisc.exe 3256 ksomisc.exe 3256 ksomisc.exe 3256 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeDebugPrivilege 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Token: SeRestorePrivilege 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Token: SeRestorePrivilege 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Token: SeRestorePrivilege 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Token: SeRestorePrivilege 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe Token: SeDebugPrivilege 116 ksomisc.exe Token: SeLockMemoryPrivilege 116 ksomisc.exe Token: SeDebugPrivilege 752 ksomisc.exe Token: SeLockMemoryPrivilege 752 ksomisc.exe Token: SeDebugPrivilege 1240 ksomisc.exe Token: SeLockMemoryPrivilege 1240 ksomisc.exe Token: SeDebugPrivilege 3256 ksomisc.exe Token: SeLockMemoryPrivilege 3256 ksomisc.exe Token: SeDebugPrivilege 4440 ksomisc.exe Token: SeLockMemoryPrivilege 4440 ksomisc.exe Token: SeDebugPrivilege 3236 ksomisc.exe Token: SeLockMemoryPrivilege 3236 ksomisc.exe Token: SeDebugPrivilege 5068 ksomisc.exe Token: SeLockMemoryPrivilege 5068 ksomisc.exe Token: SeDebugPrivilege 1908 ksomisc.exe Token: SeLockMemoryPrivilege 1908 ksomisc.exe Token: SeDebugPrivilege 400 ksomisc.exe Token: SeLockMemoryPrivilege 400 ksomisc.exe Token: SeDebugPrivilege 4508 ksomisc.exe Token: SeLockMemoryPrivilege 4508 ksomisc.exe Token: SeDebugPrivilege 1956 ksomisc.exe Token: SeLockMemoryPrivilege 1956 ksomisc.exe Token: SeDebugPrivilege 3236 ksomisc.exe Token: SeLockMemoryPrivilege 3236 ksomisc.exe Token: SeDebugPrivilege 1564 ksomisc.exe Token: SeLockMemoryPrivilege 1564 ksomisc.exe Token: SeDebugPrivilege 5016 ksomisc.exe Token: SeLockMemoryPrivilege 5016 ksomisc.exe Token: SeDebugPrivilege 3992 ksomisc.exe Token: SeLockMemoryPrivilege 3992 ksomisc.exe Token: SeDebugPrivilege 2468 ksomisc.exe Token: SeLockMemoryPrivilege 2468 ksomisc.exe Token: SeDebugPrivilege 4820 ksomisc.exe Token: SeLockMemoryPrivilege 4820 ksomisc.exe Token: SeDebugPrivilege 876 ksomisc.exe Token: SeLockMemoryPrivilege 876 ksomisc.exe Token: SeDebugPrivilege 748 ksomisc.exe Token: SeLockMemoryPrivilege 748 ksomisc.exe Token: SeDebugPrivilege 4152 ksomisc.exe Token: SeLockMemoryPrivilege 4152 ksomisc.exe Token: SeLockMemoryPrivilege 5012 wpsupdate.exe Token: SeLockMemoryPrivilege 3764 wpsupdate.exe Token: SeDebugPrivilege 4468 ksomisc.exe Token: SeLockMemoryPrivilege 4468 ksomisc.exe Token: SeDebugPrivilege 440 ksomisc.exe Token: SeLockMemoryPrivilege 440 ksomisc.exe Token: SeDebugPrivilege 2316 ksomisc.exe Token: SeLockMemoryPrivilege 2316 ksomisc.exe Token: SeDebugPrivilege 972 ksomisc.exe Token: SeLockMemoryPrivilege 972 ksomisc.exe Token: SeDebugPrivilege 1656 ksomisc.exe Token: SeLockMemoryPrivilege 1656 ksomisc.exe Token: SeDebugPrivilege 2980 ksomisc.exe Token: SeLockMemoryPrivilege 2980 ksomisc.exe Token: SeDebugPrivilege 4316 ksomisc.exe Token: SeLockMemoryPrivilege 4316 ksomisc.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 3236 ksomisc.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 2904 wps_lid.lid-e8BnL2v7Bbrm.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 ksomisc.exe 116 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 752 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 1240 ksomisc.exe 3256 ksomisc.exe 3256 ksomisc.exe 4440 ksomisc.exe 4440 ksomisc.exe 3236 ksomisc.exe 3236 ksomisc.exe 5068 ksomisc.exe 5068 ksomisc.exe 1908 ksomisc.exe 1908 ksomisc.exe 400 ksomisc.exe 400 ksomisc.exe 4508 ksomisc.exe 4508 ksomisc.exe 1956 ksomisc.exe 1956 ksomisc.exe 3236 ksomisc.exe 3236 ksomisc.exe 1564 ksomisc.exe 1564 ksomisc.exe 5016 ksomisc.exe 5016 ksomisc.exe 3992 ksomisc.exe 3992 ksomisc.exe 2468 ksomisc.exe 2468 ksomisc.exe 4820 ksomisc.exe 4820 ksomisc.exe 876 ksomisc.exe 876 ksomisc.exe 748 ksomisc.exe 748 ksomisc.exe 4152 ksomisc.exe 4152 ksomisc.exe 5012 wpsupdate.exe 5012 wpsupdate.exe 3764 wpsupdate.exe 3764 wpsupdate.exe 4468 ksomisc.exe 4468 ksomisc.exe 440 ksomisc.exe 440 ksomisc.exe 2316 ksomisc.exe 2316 ksomisc.exe 2316 ksomisc.exe 2316 ksomisc.exe 972 ksomisc.exe 972 ksomisc.exe 1656 ksomisc.exe 1656 ksomisc.exe 2980 ksomisc.exe 2980 ksomisc.exe 4316 ksomisc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 1880 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 95 PID 2904 wrote to memory of 1880 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 95 PID 2904 wrote to memory of 1880 2904 wps_lid.lid-e8BnL2v7Bbrm.exe 95 PID 2428 wrote to memory of 116 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 101 PID 2428 wrote to memory of 116 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 101 PID 2428 wrote to memory of 116 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 101 PID 2428 wrote to memory of 752 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 102 PID 2428 wrote to memory of 752 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 102 PID 2428 wrote to memory of 752 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 102 PID 2428 wrote to memory of 1240 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 103 PID 2428 wrote to memory of 1240 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 103 PID 2428 wrote to memory of 1240 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 103 PID 1880 wrote to memory of 1616 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 104 PID 1880 wrote to memory of 1616 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 104 PID 1880 wrote to memory of 1616 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 104 PID 2428 wrote to memory of 3256 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 105 PID 2428 wrote to memory of 3256 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 105 PID 2428 wrote to memory of 3256 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 105 PID 2428 wrote to memory of 4440 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 106 PID 2428 wrote to memory of 4440 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 106 PID 2428 wrote to memory of 4440 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 106 PID 4440 wrote to memory of 876 4440 ksomisc.exe 127 PID 4440 wrote to memory of 876 4440 ksomisc.exe 127 PID 4440 wrote to memory of 876 4440 ksomisc.exe 127 PID 4440 wrote to memory of 2776 4440 ksomisc.exe 133 PID 4440 wrote to memory of 2776 4440 ksomisc.exe 133 PID 4440 wrote to memory of 2776 4440 ksomisc.exe 133 PID 2776 wrote to memory of 3144 2776 regsvr32.exe 109 PID 2776 wrote to memory of 3144 2776 regsvr32.exe 109 PID 1880 wrote to memory of 3236 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 1880 wrote to memory of 3236 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 1880 wrote to memory of 3236 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 1880 wrote to memory of 5068 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 111 PID 1880 wrote to memory of 5068 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 111 PID 1880 wrote to memory of 5068 1880 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 111 PID 2428 wrote to memory of 1908 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 112 PID 2428 wrote to memory of 1908 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 112 PID 2428 wrote to memory of 1908 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 112 PID 2428 wrote to memory of 400 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 113 PID 2428 wrote to memory of 400 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 113 PID 2428 wrote to memory of 400 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 113 PID 2428 wrote to memory of 4508 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 114 PID 2428 wrote to memory of 4508 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 114 PID 2428 wrote to memory of 4508 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 114 PID 2428 wrote to memory of 1956 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 115 PID 2428 wrote to memory of 1956 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 115 PID 2428 wrote to memory of 1956 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 115 PID 2428 wrote to memory of 3236 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 2428 wrote to memory of 3236 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 2428 wrote to memory of 3236 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 116 PID 2428 wrote to memory of 1564 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 118 PID 2428 wrote to memory of 1564 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 118 PID 2428 wrote to memory of 1564 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 118 PID 1564 wrote to memory of 4392 1564 ksomisc.exe 119 PID 1564 wrote to memory of 4392 1564 ksomisc.exe 119 PID 1564 wrote to memory of 4392 1564 ksomisc.exe 119 PID 4392 wrote to memory of 3520 4392 wps.exe 120 PID 4392 wrote to memory of 3520 4392 wps.exe 120 PID 4392 wrote to memory of 3520 4392 wps.exe 120 PID 4392 wrote to memory of 1084 4392 wps.exe 121 PID 4392 wrote to memory of 1084 4392 wps.exe 121 PID 4392 wrote to memory of 1084 4392 wps.exe 121 PID 2428 wrote to memory of 5016 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 122 PID 2428 wrote to memory of 5016 2428 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exeC:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"2⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"3⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"4⤵
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"5⤵PID:3420
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
-
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe" -downpower -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E580D59 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00600.00001018 -forceperusermode2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3256
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"3⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵PID:3144
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -uncompatiblemso2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00600.000010182⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4508
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=4392 /prv4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"3⤵
- Modifies system executable filetype association
PID:4932
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3764 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:972
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f250f6f6db34808e67bc3a603312f93d
SHA19de21d268b014fd8e042699372c48696b4e824f9
SHA256d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc
SHA512ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839
-
Filesize
170KB
MD53e08e7ca30a665c5f0f9cf14e269f028
SHA1dcc612f071c7c7349ee0240291ff8bbf4a8a0c46
SHA256b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834
SHA5120f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
Filesize334B
MD52b42be10ddde43a0b6c2e461beae293a
SHA153888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize198KB
MD5b4b4c703bf5c6c0b5e9c57f05012d234
SHA1929aee49e800e88b4b01f4a449fa86715d882e42
SHA256910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA5122afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec
-
Filesize
434B
MD5e6c8b146640faf4ce794d6acef69ae92
SHA17545235bc328a49b1304b8c6ee5663d43a53cf0f
SHA256cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba
SHA512f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853
-
Filesize
177KB
MD5d84cb177f4720bed63a55f8072e368eb
SHA182c2caad9184fb2adbfb6a278d082cc1eb7852f8
SHA2569995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a
SHA512f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2
-
Filesize
434KB
MD5abf5ef5de210be0fd2c2a55ee365919b
SHA16a9104f07a773bed0de1dc3c6774683acc293a87
SHA256064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292
SHA5124fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a
-
Filesize
7.1MB
MD586110ee28cdb72aed1ec60ade94aeb56
SHA161457137d8748d477e2e7052c61d8c5b97dd2b70
SHA2569fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75
SHA51204700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917
-
Filesize
1.1MB
MD5fd7ef27a8780754d160ee2f70780e62f
SHA141c463d3a38704a2e3b83d01e73f225f14c1e219
SHA256bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd
SHA5122801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851
-
Filesize
23.1MB
MD58603a85045dee666f1d6005d9a2971e5
SHA11b4ed0a58d4fd64a6053ad5182bbae332eadde9d
SHA256ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a
SHA5124d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c
-
Filesize
24.7MB
MD5a5ecce5a776b0bae9c2cea3a0e42bf91
SHA19b0fcacd05b782d2d80dacde5b81c99ad3570935
SHA2561374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d
SHA512e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2
-
Filesize
9.9MB
MD59792e7046e96eef015b554282242434a
SHA187205b343319d7e65a532bc3f696c5719b3d7161
SHA2565e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39
SHA51218bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45
-
Filesize
3.1MB
MD57680119f3de2925404ae2615898ac605
SHA10b3f27db9fda31d2b525df17e139eff72b4a4c33
SHA256fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727
SHA51206714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc
-
Filesize
1.8MB
MD5aaa222915e0c9c32406b8b963019f97b
SHA13e45dc1d0b2d1ad602644bf349b3463b0c0f8f70
SHA25632067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942
SHA512656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e
-
Filesize
2.6MB
MD540e03f699a98ce5b07529824c1a894d2
SHA19e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0
SHA256fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc
SHA5128b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18
-
Filesize
513KB
MD5ee36a69232c862b84bbab1b5b60817a6
SHA1760e9635292bf68f5a2fd692395c9fb2f8372ad4
SHA25694101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601
SHA512205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c
-
Filesize
565KB
MD59a1e1d44af39f2b63ca7939041095b37
SHA152f5ee389357b73c7d7c97399cb736070515e434
SHA25660930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44
SHA5121d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
Filesize236KB
MD5c5ad1903526a9ca4c2f55cfea1e22778
SHA19c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA2565e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
Filesize1.4MB
MD5bd5884a7c9cc473a229b953154a52c52
SHA128bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da
SHA256d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb
SHA5125c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df
-
Filesize
904KB
MD593319d7add53c7c8c364012d5b61f3c6
SHA1b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39
SHA2569d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66
SHA512f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361
-
Filesize
499B
MD52bbf97f08f6d2bb9323e95798ef64240
SHA10890b2b6c733ca6f5d0442e82824dfdfe449ae70
SHA2569c73fc25f37b3bfcfb26916ae16248998651b3d0ca66b23d5230638ab10ddd26
SHA512c983538513eebffee2910292c0a515bfc2eb8c70561bb1c4cc1ac77b98a4d18e153e2b8a3d4c06ee2c58cfd0e25148c5cdefe8cfb6939470c779c314ab2f5286
-
Filesize
675B
MD54c95f9ec17b9318ee8d1cb648da2981b
SHA1877b245c238652e9fd36843f147213ec057e3b22
SHA2562fa8deca3405b33a023a1c0372ccf9a341ae6711c960e5d224be57dacbbc5473
SHA512b8e2451a1f2bf0b9f362607e5ad36c41f8c902db8c643b968a8b6249065468d354ad6d6bb3519429ef59aa850e1b28d9f53f0ee0db1711f74d570ed1a7e50560
-
Filesize
2KB
MD545efecdc0729a7263c2062e90f003668
SHA1d24e3bb9147e099b7c3efe2b0632f8b25449d752
SHA25604490307a6b66e98703097d2190ed12d9485237ebdc38ddfa190a7c7e8883b80
SHA512708f3ea98e9923a91f1e2e7656cbbb0d4753f3860858c01f6e08b0688b317a60b234abf26e4e1c7818f005194b6ad54f25f8e49e77550785ff56e798f6f3b19a
-
Filesize
5.0MB
MD57fc37c5552ada776f404d3679b9b0c4c
SHA19fba9ce4f16c935c5b8fbef62102cc7693b05f7c
SHA2566f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf
SHA512d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e
-
Filesize
5.3MB
MD5be1f6ac2ccea42961c970aec7c496922
SHA1913e98b3d882bafd5d3ad33f06dccb33297c8668
SHA25630079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463
SHA512d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4
-
Filesize
392KB
MD570cee47ff4ea3ebf85f954fd9e827592
SHA14de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0
SHA256dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422
SHA5127c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d
-
Filesize
4.5MB
MD5a7d93abf2841afe86a08230fb2fc14db
SHA15b8874f7922f42dae7a9214370aef691e51d837a
SHA25698fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b
SHA512508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9
-
Filesize
217KB
MD50e15f2a1c22a7d0147ab6df139797a62
SHA10f8207e8a1c1ff692a70c1668b2bafd566ba1718
SHA2566740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f
SHA512981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26
-
Filesize
1.2MB
MD556d017aef6a7c74cd136f2390b8ea6d3
SHA146cc837c64abe4e757e66a24ece56e3f975e9ef6
SHA256900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920
SHA5127b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49
-
Filesize
2.9MB
MD5fb20ae8ae8b82e53f8f234c1d0c186b7
SHA1c03b74f6544715b0f25d23ece700eb663b2f86fc
SHA256057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503
SHA51209a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429
-
Filesize
427KB
MD5db1e9807b717b91ac6df6262141bd99f
SHA1f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA2565a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3
-
Filesize
61KB
MD59d355f89a89d7837a03716b1d45dc5cc
SHA16affa5368018a5ad1ab4a68c512ed8db527dd3b4
SHA256167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492
SHA51276009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678
-
Filesize
41KB
MD510adbd3c3de885e0383a97626a71af34
SHA1392329c20383249c3632dba0e42fc017a62bc081
SHA256c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a
SHA512e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b
-
Filesize
1.3MB
MD5bc21f4d77a75822b27c3d1a598e8e29e
SHA14ca0afce4ee376041058e3791c10c2309ca7eddc
SHA25669af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668
SHA5120de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a
-
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
Filesize71KB
MD5bf10e0c48251234d831ffcd8cca82344
SHA1955d9cfa4e8dccff444a1f1ef505ccd41a75cd22
SHA2561a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617
SHA51215d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2
-
C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize145KB
MD5a8492f295b92be062e26542af4d516b7
SHA12fef9e287ab6eaad60c5711f5e294cf83844399d
SHA2564c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597
SHA5125667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
75KB
MD58fdb26199d64ae926509f5606460f573
SHA17d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f
-
Filesize
3KB
MD5034f37e6536c1430d55f64168b7e9f05
SHA1dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA5120e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0
-
Filesize
121KB
MD52e743f3067fa75ff3bcad5baafafc8ea
SHA157ab56038ca28fcf2ce3e519a1e8f858c8bcaaff
SHA2563927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f
SHA51239fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6
-
Filesize
433B
MD5a9519168ca6299588edf9bd39c10828a
SHA19f0635e39d50d15af39f5e2c52ad240a428b5636
SHA2569e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA5120607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OMPWCK99M99VXFNE9EXF.temp
Filesize8KB
MD5d441203f5878a3fc9d8c34593f0f7813
SHA1e0719b239d88110c800becef39633380ba4cfb34
SHA256d9a1c08afae47f51cda671e1b64cbfdf4b8a589137ba36dad2565cd6f7f69803
SHA512e6bb92c9ffc9ea3a0c321ef6317a382a331a64f6624c52a8e7a7a8e96c9283d8f43bf8b00f9d5339cf3ce888536488c041f3a898f92810f8ea9bb8ced6a1ee59
-
Filesize
99KB
MD5273bd5d82655736c4452392841ab4e90
SHA1f172408b3d70d7b188565151ba50a5438da0d19a
SHA256c50163066783d9057accbc6d4d777e3aa7cfb0112a5ec042159b7558708dfd49
SHA5125878d3657ff3004be5e3c1a4b4cdb4ec4c46a710d94ed4859adcd9097dc2216c03c4d363f6652c0254642635f1f49ad77523ac5e4d5f74e1877e32c6aa1b23f5
-
Filesize
208B
MD570c5ed133a3a62a1d90b9b9bb92dcce8
SHA101f4606b61d4a0bf2bada83253a7e3421cd1d984
SHA256cafa4364f2f855ba9a90e4aa73521e2c240eb8c9b7bef0c26b9fc4d3bde52205
SHA512d6e04930efab9c79b27163827f3a70631081c2af4addfc3db5605ab552b89d5865b351e070602b6bcd0a43bdf0b20819e6a1edeb182d797b8c8ea82fe17c1cc1
-
Filesize
5KB
MD53e398d35b4d70deb9a11723f87f16bba
SHA1a9099d3335ff70f5207100a1849c1adde38fc8f5
SHA2563954b70096baef07ea9005eaabe7ce571d2752616ac093aacf8a4c71aaa49dc5
SHA5124b0912d97334d5e06259ceeac94e02c54ba4d2574f59921d5a7344f41e93e4e81cd168a315d050a4f481826f62d0e755822f461c8fc5dbd864f2a481e15b5d21
-
Filesize
12KB
MD576ad8bf279bac89f0599663026a51f7c
SHA169fcebfd94e71b0a1e835dae3568998c8d065887
SHA25602e35d84d642896469cc98c67855c933bcad3be1606bbde8245d823e440bde8a
SHA512fea8d111ca51d99d8bdaf2532bbdba0188e982cd93fc4fed1351315280bd46e1cf8b459d1b5c010b7fd26bb185a0418ceb29aae5925b03c021eda94b512fa73c
-
Filesize
12KB
MD567cf06f0ba5cc0c1c61fa1186cd74dc9
SHA17e65178bb7bc25648c1e2a878c9125a77cb2e1ac
SHA2561c33bff5e914871d7b878f9b87f9e954a21b9d2928e0f043f86bec1da3642bc7
SHA5124d5633c68d877822217f0c8905ca47d699957f1c3ddea4beda90f99cecc008efc5d1479174323df6b6a5b5c97b253de60cf5d8daa10e92cb5976320e315d618c
-
Filesize
31KB
MD572b05f245adb276b0f3d0d33538746b0
SHA14004a460f423c7e82b1e9fec8c65c08add01e6b1
SHA25640574347d79c88e7aa5cd7d0395da34308de4f6a4dfc77c1c7284044dbdea2b4
SHA512f37e1e33fee32718485e0691632531729ac664a493aca8075af2d343ff5d202b80569dd1147cc9f2ed5759f8ef8f97cd32e127e5fdba9047d5be5432e5c3b911
-
Filesize
50KB
MD5ce4033c39c486996f0027a298d1cb7c1
SHA10cef1d7e017e85103ebc8425f1d88ee7f5a93ea0
SHA256643db8a9793128c212c42a07e06d3f6d112c7f18079b60ec4d75ee51357f52ab
SHA51210f38442420513641850744a4274ea63ba44d85559ffbe40259408f78c298e6e5e57496f3ae15db09967c0ed1357a11c3ea8ebdf56e492d84c0ae723fce7b3df
-
Filesize
59KB
MD54e9ed521a91269d67115addf1a648d12
SHA12be37c06d38a2786e3711f54e4cdd8f03fe7d63a
SHA256a71a5494aa56f0f81dfc2734f4e78ec815e08eee5c60c0e196515651f95654a6
SHA512aa425370ab62b4df13d9471b507ca1adef7c52a73ea03d6850a3e8a56399d1ad6d5022059969d6ce1e91de9971ac41bc1ff3edd079dd1456844a5ac8c5f362a9