Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
-
Size
5.5MB
-
MD5
8827b26b1deb9ef9ede4fd262e8d7739
-
SHA1
1afa3fb51f00f7912fc2d9b3b1466dbc70087e07
-
SHA256
36b263ca84d8e15aa27c73f74bb99ffbc06fdefabc467c8a00d4eb195adbd6af
-
SHA512
21a4305f3dd462831da894f602c0d2fdbd4c1d45f6127009d39e18b5c7f37692592786fdbf467c597ee2ba9ff40db9e122a8f4a6fec4e1c4d673abee2561dc88
-
SSDEEP
98304:prI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/FK:KXGULEFrcPJzAxf4+FGV4
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe File opened for modification \??\PhysicalDrive0 ksomisc.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation ksomisc.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Executes dropped EXE 42 IoCs
pid Process 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3012 ksomisc.exe 2388 ksomisc.exe 2796 ksomisc.exe 2852 wpscloudsvr.exe 3004 ksomisc.exe 688 ksomisc.exe 1392 ksomisc.exe 1940 ksomisc.exe 2252 ksomisc.exe 2640 ksomisc.exe 2844 ksomisc.exe 1752 ksomisc.exe 2660 ksomisc.exe 1816 ksomisc.exe 3012 ksomisc.exe 2624 ksomisc.exe 2852 ksomisc.exe 2692 ksomisc.exe 2768 wps.exe 1668 wps.exe 2540 wps.exe 2480 ksomisc.exe 2492 ksomisc.exe 2308 ksomisc.exe 464 ksomisc.exe 2104 ksomisc.exe 1700 ksomisc.exe 2804 ksomisc.exe 3052 ksomisc.exe 268 wpsupdate.exe 2320 wpscloudsvr.exe 2096 wpsupdate.exe 328 wpscloudsvr.exe 308 ksomisc.exe 764 ksomisc.exe 2800 ksomisc.exe 2336 ksomisc.exe 2892 ksomisc.exe 1608 ksomisc.exe 2596 ksomisc.exe -
Loads dropped DLL 64 IoCs
pid Process 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx regsvr32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" ksomisc.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-20 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7759D313-9C91-46E3-BF38-3B6E68E0B1C9}\TypeLib\Version = "1.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\Verb\ ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002445A-0000-0000-C000-000000000046}\ = "AutoRecover" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\SystemFileAssociations\.xls ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002097C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020915-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5E9A888C-E5DC-4DCB-8308-3C91FB61E6F4}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020953-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020954-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{E598E358-2852-42D4-8775-160BD91B7244}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002092D-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0399-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00024471-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024413-0000-0000-C000-000000000046}\ = "AppEvents" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024496-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Word.RTF.8\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\wpsofficeicon.dll,11" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{55F88890-7708-11D1-ACEB-006008961DA5}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020852-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002086D-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0391-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataLabel" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000208BA-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002446F-0000-0000-C000-000000000046}\ = "Diagram" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C032E-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C03D6-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{B65AD801-ABAF-11D0-BB8B-00A0C90F2744}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000209C5-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{EEE00915-E393-11D1-BB03-00C04FB6C4A6}\TypeLib\Version = "5.3" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024491-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020981-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244C7-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{A537E638-AB2A-4308-A502-2EFF280C6E98}\1.0\FLAGS ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020918-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244C6-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024464-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002441D-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000244DB-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020858-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002445A-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\KET.Template\CurVer\ = "KET.Template.9" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000244D3-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244AB-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C0371-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244E8-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{4265ED97-A922-4CA4-8CD8-99684CCA9CDB}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ = "Shapes" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{91493494-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\ = "FilterEffect" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000208C3-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\ET.AddInMacroEnabled ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C035A-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{F743EDD0-9B97-4B09-89CC-77BE19B51481}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020875-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002446C-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs ksomisc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 wpsupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices ksomisc.exe -
Suspicious behavior: AddClipboardFormatListener 35 IoCs
pid Process 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3012 ksomisc.exe 2388 ksomisc.exe 2796 ksomisc.exe 3004 ksomisc.exe 688 ksomisc.exe 1392 ksomisc.exe 1940 ksomisc.exe 2252 ksomisc.exe 2640 ksomisc.exe 2844 ksomisc.exe 1752 ksomisc.exe 2660 ksomisc.exe 1816 ksomisc.exe 3012 ksomisc.exe 2624 ksomisc.exe 2852 ksomisc.exe 2692 ksomisc.exe 2480 ksomisc.exe 2492 ksomisc.exe 2308 ksomisc.exe 464 ksomisc.exe 2104 ksomisc.exe 1700 ksomisc.exe 2804 ksomisc.exe 3052 ksomisc.exe 268 wpsupdate.exe 2096 wpsupdate.exe 308 ksomisc.exe 764 ksomisc.exe 2800 ksomisc.exe 2336 ksomisc.exe 2892 ksomisc.exe 1608 ksomisc.exe 2596 ksomisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 2852 wpscloudsvr.exe 3004 ksomisc.exe 3004 ksomisc.exe 3004 ksomisc.exe 3004 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 1392 ksomisc.exe 1392 ksomisc.exe 1392 ksomisc.exe 1392 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeDebugPrivilege 3012 ksomisc.exe Token: SeLockMemoryPrivilege 3012 ksomisc.exe Token: SeDebugPrivilege 2388 ksomisc.exe Token: SeLockMemoryPrivilege 2388 ksomisc.exe Token: SeDebugPrivilege 2796 ksomisc.exe Token: SeLockMemoryPrivilege 2796 ksomisc.exe Token: SeDebugPrivilege 3004 ksomisc.exe Token: SeLockMemoryPrivilege 3004 ksomisc.exe Token: SeDebugPrivilege 688 ksomisc.exe Token: SeLockMemoryPrivilege 688 ksomisc.exe Token: SeDebugPrivilege 1392 ksomisc.exe Token: SeLockMemoryPrivilege 1392 ksomisc.exe Token: SeDebugPrivilege 1940 ksomisc.exe Token: SeLockMemoryPrivilege 1940 ksomisc.exe Token: SeDebugPrivilege 2252 ksomisc.exe Token: SeLockMemoryPrivilege 2252 ksomisc.exe Token: SeDebugPrivilege 2640 ksomisc.exe Token: SeLockMemoryPrivilege 2640 ksomisc.exe Token: SeDebugPrivilege 2844 ksomisc.exe Token: SeLockMemoryPrivilege 2844 ksomisc.exe Token: SeDebugPrivilege 1752 ksomisc.exe Token: SeLockMemoryPrivilege 1752 ksomisc.exe Token: SeDebugPrivilege 2660 ksomisc.exe Token: SeLockMemoryPrivilege 2660 ksomisc.exe Token: SeDebugPrivilege 1816 ksomisc.exe Token: SeLockMemoryPrivilege 1816 ksomisc.exe Token: SeDebugPrivilege 3012 ksomisc.exe Token: SeLockMemoryPrivilege 3012 ksomisc.exe Token: SeDebugPrivilege 2624 ksomisc.exe Token: SeLockMemoryPrivilege 2624 ksomisc.exe Token: SeDebugPrivilege 2852 ksomisc.exe Token: SeLockMemoryPrivilege 2852 ksomisc.exe Token: SeDebugPrivilege 2692 ksomisc.exe Token: SeLockMemoryPrivilege 2692 ksomisc.exe Token: SeDebugPrivilege 2480 ksomisc.exe Token: SeLockMemoryPrivilege 2480 ksomisc.exe Token: SeDebugPrivilege 2492 ksomisc.exe Token: SeLockMemoryPrivilege 2492 ksomisc.exe Token: SeDebugPrivilege 2308 ksomisc.exe Token: SeLockMemoryPrivilege 2308 ksomisc.exe Token: SeDebugPrivilege 464 ksomisc.exe Token: SeLockMemoryPrivilege 464 ksomisc.exe Token: SeDebugPrivilege 2104 ksomisc.exe Token: SeLockMemoryPrivilege 2104 ksomisc.exe Token: SeDebugPrivilege 1700 ksomisc.exe Token: SeLockMemoryPrivilege 1700 ksomisc.exe Token: SeDebugPrivilege 2804 ksomisc.exe Token: SeLockMemoryPrivilege 2804 ksomisc.exe Token: SeDebugPrivilege 3052 ksomisc.exe Token: SeLockMemoryPrivilege 3052 ksomisc.exe Token: SeLockMemoryPrivilege 268 wpsupdate.exe Token: SeLockMemoryPrivilege 2096 wpsupdate.exe Token: SeDebugPrivilege 308 ksomisc.exe Token: SeLockMemoryPrivilege 308 ksomisc.exe Token: SeDebugPrivilege 764 ksomisc.exe Token: SeLockMemoryPrivilege 764 ksomisc.exe Token: SeDebugPrivilege 2800 ksomisc.exe Token: SeLockMemoryPrivilege 2800 ksomisc.exe Token: SeDebugPrivilege 2336 ksomisc.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3012 ksomisc.exe 3012 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2388 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 2796 ksomisc.exe 3004 ksomisc.exe 3004 ksomisc.exe 688 ksomisc.exe 688 ksomisc.exe 1392 ksomisc.exe 1392 ksomisc.exe 1940 ksomisc.exe 1940 ksomisc.exe 2252 ksomisc.exe 2252 ksomisc.exe 2640 ksomisc.exe 2640 ksomisc.exe 2844 ksomisc.exe 2844 ksomisc.exe 1752 ksomisc.exe 1752 ksomisc.exe 2660 ksomisc.exe 2660 ksomisc.exe 1816 ksomisc.exe 1816 ksomisc.exe 3012 ksomisc.exe 3012 ksomisc.exe 2624 ksomisc.exe 2624 ksomisc.exe 2852 ksomisc.exe 2852 ksomisc.exe 2692 ksomisc.exe 2692 ksomisc.exe 2480 ksomisc.exe 2480 ksomisc.exe 2492 ksomisc.exe 2492 ksomisc.exe 2308 ksomisc.exe 2308 ksomisc.exe 464 ksomisc.exe 464 ksomisc.exe 2104 ksomisc.exe 2104 ksomisc.exe 1700 ksomisc.exe 1700 ksomisc.exe 2804 ksomisc.exe 2804 ksomisc.exe 3052 ksomisc.exe 3052 ksomisc.exe 268 wpsupdate.exe 268 wpsupdate.exe 2096 wpsupdate.exe 2096 wpsupdate.exe 308 ksomisc.exe 308 ksomisc.exe 764 ksomisc.exe 764 ksomisc.exe 2800 ksomisc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1576 wrote to memory of 2920 1576 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 31 PID 1684 wrote to memory of 3012 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 33 PID 1684 wrote to memory of 3012 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 33 PID 1684 wrote to memory of 3012 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 33 PID 1684 wrote to memory of 3012 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 33 PID 1684 wrote to memory of 2388 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 35 PID 1684 wrote to memory of 2388 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 35 PID 1684 wrote to memory of 2388 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 35 PID 1684 wrote to memory of 2388 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 35 PID 1684 wrote to memory of 2796 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 36 PID 1684 wrote to memory of 2796 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 36 PID 1684 wrote to memory of 2796 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 36 PID 1684 wrote to memory of 2796 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 36 PID 2920 wrote to memory of 2852 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 37 PID 2920 wrote to memory of 2852 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 37 PID 2920 wrote to memory of 2852 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 37 PID 2920 wrote to memory of 2852 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 37 PID 1684 wrote to memory of 3004 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 38 PID 1684 wrote to memory of 3004 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 38 PID 1684 wrote to memory of 3004 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 38 PID 1684 wrote to memory of 3004 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 38 PID 1684 wrote to memory of 688 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 39 PID 1684 wrote to memory of 688 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 39 PID 1684 wrote to memory of 688 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 39 PID 1684 wrote to memory of 688 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 39 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 404 688 ksomisc.exe 40 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 688 wrote to memory of 1080 688 ksomisc.exe 41 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 1080 wrote to memory of 996 1080 regsvr32.exe 42 PID 2920 wrote to memory of 1392 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 43 PID 2920 wrote to memory of 1392 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 43 PID 2920 wrote to memory of 1392 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 43 PID 2920 wrote to memory of 1392 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 43 PID 2920 wrote to memory of 1940 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 44 PID 2920 wrote to memory of 1940 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 44 PID 2920 wrote to memory of 1940 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 44 PID 2920 wrote to memory of 1940 2920 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 44 PID 1684 wrote to memory of 2252 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 45 PID 1684 wrote to memory of 2252 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 45 PID 1684 wrote to memory of 2252 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 45 PID 1684 wrote to memory of 2252 1684 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exeC:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2852
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:308 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"5⤵PID:2172
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F773A62 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002079 -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2388
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"3⤵
- System Location Discovery: System Language Discovery
PID:404
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵PID:996
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.000020792⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2692 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2768 /prv4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:464
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"3⤵
- Modifies system executable filetype association
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:328
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:2892
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:1608
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f250f6f6db34808e67bc3a603312f93d
SHA19de21d268b014fd8e042699372c48696b4e824f9
SHA256d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc
SHA512ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
Filesize334B
MD52b42be10ddde43a0b6c2e461beae293a
SHA153888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize198KB
MD5b4b4c703bf5c6c0b5e9c57f05012d234
SHA1929aee49e800e88b4b01f4a449fa86715d882e42
SHA256910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA5122afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec
-
Filesize
434B
MD5e6c8b146640faf4ce794d6acef69ae92
SHA17545235bc328a49b1304b8c6ee5663d43a53cf0f
SHA256cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba
SHA512f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
Filesize236KB
MD5c5ad1903526a9ca4c2f55cfea1e22778
SHA19c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA2565e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
Filesize1.4MB
MD5bd5884a7c9cc473a229b953154a52c52
SHA128bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da
SHA256d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb
SHA5125c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df
-
Filesize
904KB
MD593319d7add53c7c8c364012d5b61f3c6
SHA1b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39
SHA2569d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66
SHA512f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361
-
Filesize
499B
MD5183330feb3b9701fec096dcbfd8e67e4
SHA12f43379fefa868319a2baae7998cc62dc2fc201d
SHA256ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471
-
Filesize
675B
MD57b8a651d886d78faece08f2904580dc1
SHA1b264aa3a1a9ad33ef07e86f42b9b2d15548773fa
SHA2565d04fe10796cbbe7aad864bf970305edf0b9082578322513b815fb667ca9b00d
SHA512ec438b640f528323504dfde42c593e563421772eb06f3e761dd3f1024077a69e7aeac9560680c215ab3d7d6af5b79d8930a8dc6cdfcf404995cebc8560b67fc6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
2KB
MD5e10b1d3c17333f65ef45b8e19e0117d4
SHA1b5679f85070b9df6be4df7f841579f1eb9c8453e
SHA256f175eb858260f5ecb93a7c2f235f078ceab429ec5069306c842aa1dcf07e56b5
SHA51282c3a3ef029a9193e010ac9ad161c3fdedcfe247bcc0a0f06972137fd2f202bd768c515f667f3d9ea549dd9dc9096e2ea4bef6f608adc7bffccc9b28dc5e5770
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.2MB
MD556d017aef6a7c74cd136f2390b8ea6d3
SHA146cc837c64abe4e757e66a24ece56e3f975e9ef6
SHA256900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920
SHA5127b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49
-
Filesize
8KB
MD51a59aa4f478d8725dcf575f481946c69
SHA1651aa42b7fbb7bcda13a903bfaef7c6b6046a24d
SHA25652a390608b1d0dcfb2931d61a334f103aabdf3ea7651b52c96aca40fd1c1fc0b
SHA5121afeeba858d0a46daa43fc52dcce711d510268f839d91152f8b7aae0c4e69652b8066ffdafde2bd4a430bf75446471bc730ce1e6d42ca04c990091f68dc1ea77
-
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
Filesize71KB
MD5bf10e0c48251234d831ffcd8cca82344
SHA1955d9cfa4e8dccff444a1f1ef505ccd41a75cd22
SHA2561a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617
SHA51215d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2
-
Filesize
3KB
MD5034f37e6536c1430d55f64168b7e9f05
SHA1dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA5120e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0
-
Filesize
121KB
MD52e743f3067fa75ff3bcad5baafafc8ea
SHA157ab56038ca28fcf2ce3e519a1e8f858c8bcaaff
SHA2563927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f
SHA51239fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6
-
Filesize
387B
MD5c38481658f9149eba0b9b8fcbcb16708
SHA1f16a40af74c0a04a331f7833251e3958d033d4da
SHA256d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2
SHA5128f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce
-
Filesize
433B
MD5a9519168ca6299588edf9bd39c10828a
SHA19f0635e39d50d15af39f5e2c52ad240a428b5636
SHA2569e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA5120607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Y2Q0MJ9DL9TVFPKJADR.temp
Filesize8KB
MD553bc32e255087d6d5252e0800930957a
SHA1aa3958f4791e3fd61a16a77060e8d89e6fdbc90e
SHA256f2c7f92710dc6492c360b48e2dc34dce47daab6992a236855fd9f7d4a01c9006
SHA512477007f558d359d5aefebb80fba968793cf65f8651432802dff022e238fc4221f6a1146c927a7b991a9218967059f08b006599131a3f830195f10c1860a47dbd
-
Filesize
98KB
MD5da920134e389419ded63add1e42380b5
SHA17d7758aa8d58812579abae5a14440213e224b40f
SHA25607eb063ab0b88d2acc639d9af81c5b546f1e274f05828ed34fea7e284fca897d
SHA512c07e8d452a5fc91ccc1164543b532ccd14ded5e61c47e36714d59dd4c9094ec00e5dd38dca70c65cd1e70e514f1779b4d45222f8530629e889cf6e0bca7d0504
-
Filesize
208B
MD5616babe83a3c3d1c9aa5f15b788b3856
SHA1d8556c51bf660f98ab4fbd37ad6c7e519ca43099
SHA2568f8ad7559303db41e4a43a918d12164c15a764b74951219c5629e097bf9bca5d
SHA512c661d8e9d881af0febb7b0fa2c791b04778572ee56608f519df6d3bb1b7939e046915eb6207351912230bd20ada8331b571b7a13a9545bb620b5fc58568f5d60
-
Filesize
5KB
MD5b76f26e22c9d76970240520f6958c999
SHA1863f729cd00c96e5cce3c9db7b8558b98ac60269
SHA25630fdb2ca45e2ef3c91a4f3b11be2b18d2c184b264d016f3ab08ac9c869ddf260
SHA5121dd4f9cf0b9814e2cc269f51e7fe2ee5c20e3f4880d16c76e422280c2d1260d8db181740fe78a76a3eee50ecc1050ae681f64e7d17ee702ea25718519ae5da60
-
Filesize
12KB
MD527a5052026ed4f87cc17d522fea07168
SHA1a34b2dbbc1158c27146c93c647b7e681abc102a4
SHA256fc4b07a7cc30dd966ea18e0253e7aeacc9a466ce6780302d44b9bce00c576eab
SHA512868d98ea3ea0be8cc620e02ba1913534582bd6ce5a11cb12fc5d03e7dda909da9dbb47e4c0ba6a9865539c3663c2611cea668bb2a76d195a66e5fc1cd68c05af
-
Filesize
13KB
MD5195f6882904dbcc63f8318f1c9f56b35
SHA1302564040bde06aaeb48593677c6e35e33c902d3
SHA256728e8db48feed4d9b5b913a9494f009820b5a6ed514844f8318f49bb4c980da2
SHA512b8719b1dc85ef948f1ffbafb5db6f7b3128e1416a5390cae049e87c8c3a0d30f09bd21c224697a21f529a79460d0494bb3eb03dcad6d297baa3e7f0f9bf8b2ff
-
Filesize
31KB
MD57a096cd99096baaf15106cca4a14352f
SHA1fea7d6139b699e1228f9e8fe5f902fe72d037532
SHA256ed98d7cc944766b7c1a08df2e07708cddb916c6ce1cb2b22a41ca53204143030
SHA512e1bd016ec35e77c206b53cd87cc2198f512ed7376982d36e3daac01314a0e4cc6f8d50a9e6ccf2c139b7bb676e694ca9579065598152a3898fa9a32f62c0a1b1
-
Filesize
59KB
MD5dd14b82ad87c6793abf3876df5814eb5
SHA19cbc5b7f414e1699572f764330c3b7b2deb6d6b0
SHA25698f61d7d87384dca2b92cc5972d2431c8a075f49594ff4eff580490b6ba043b4
SHA51239e606dc1bbc669295b081fdbe634e3794a68951fa359e505d11ff0e53ee212bf9bf57182ea73fe78ba5cca413b4a1ce80abd3052ffb650a17fdd827425452e5
-
Filesize
50KB
MD5bde7f5d36e93c70d7be3463701de39e7
SHA1cbaf07b3fb02d2e4334dd146d05c1b05ed8078bc
SHA256b11a28c10011d026c785d400436c1849c97d20466c544d7b375a11edbb01dd31
SHA512214f8b3f2f5a57c506f6f66d546f38df895976b825c19bb1303c4816426a9461d5a84cab299c0f12c6d55146e07e15ca8cfb23d50711c767892404834f737681
-
Filesize
1KB
MD53bebec1b0c229badd1011498639eb038
SHA116febd26dff3686589dbf7881d95cd478bbe6c99
SHA256db595c3f90958094a4e0aef9e3c6c48f5af56c8f3db58207c7943b5c59cb8f29
SHA512259e4a869a2802943a4eded86e8d2317f0fc71be4e525eae725050e16fdaa52670a3f086b0ae4a49b6d5fb0918c3e2b64555b170263067fbff3b34f386475672
-
Filesize
3.1MB
MD57680119f3de2925404ae2615898ac605
SHA10b3f27db9fda31d2b525df17e139eff72b4a4c33
SHA256fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727
SHA51206714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc
-
Filesize
5.0MB
MD57fc37c5552ada776f404d3679b9b0c4c
SHA19fba9ce4f16c935c5b8fbef62102cc7693b05f7c
SHA2566f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf
SHA512d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e
-
Filesize
5.3MB
MD5be1f6ac2ccea42961c970aec7c496922
SHA1913e98b3d882bafd5d3ad33f06dccb33297c8668
SHA25630079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463
SHA512d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4
-
Filesize
392KB
MD570cee47ff4ea3ebf85f954fd9e827592
SHA14de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0
SHA256dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422
SHA5127c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d
-
Filesize
4.5MB
MD5a7d93abf2841afe86a08230fb2fc14db
SHA15b8874f7922f42dae7a9214370aef691e51d837a
SHA25698fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b
SHA512508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9
-
Filesize
217KB
MD50e15f2a1c22a7d0147ab6df139797a62
SHA10f8207e8a1c1ff692a70c1668b2bafd566ba1718
SHA2566740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f
SHA512981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26
-
Filesize
11KB
MD5cd3cec3d65ae62fdf044f720245f29c0
SHA1c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f
-
Filesize
10KB
MD5b181124928d8eb7b6caa0c2c759155cb
SHA11aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA25624ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA5122a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f
-
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
Filesize13KB
MD521519f4d5f1fea53532a0b152910ef8b
SHA17833ac2c20263c8be42f67151f9234eb8e4a5515
SHA2565fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA51297211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417
-
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
Filesize11KB
MD5b5c8334a10b191031769d5de01df9459
SHA183a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA2566c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA51259e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39
-
Filesize
11KB
MD586421619dad87870e5f3cc0beb1f7963
SHA12f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA25664eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31
-
Filesize
14KB
MD588f89d0f2bd5748ed1af75889e715e6a
SHA18ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA25602c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA5121f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df
-
Filesize
11KB
MD50979785e3ef8137cdd47c797adcb96e3
SHA14051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d
-
Filesize
12KB
MD5a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA15516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7
-
Filesize
11KB
MD5a6a9dfb31be2510f6dbfedd476c6d15a
SHA1cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec
-
Filesize
11KB
MD550b721a0c945abe3edca6bcee2a70c6c
SHA1f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840
-
Filesize
21KB
MD5461d5af3277efb5f000b9df826581b80
SHA1935b00c88c2065f98746e2b4353d4369216f1812
SHA256f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600
-
Filesize
15KB
MD54f06da894ea013a5e18b8b84a9836d5a
SHA140cf36e07b738aa8bba58bc5587643326ff412a9
SHA256876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA5121d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79
-
Filesize
16KB
MD55765103e1f5412c43295bd752ccaea03
SHA16913bf1624599e55680a0292e22c89cab559db81
SHA2568f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA5125844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0
-
Filesize
17KB
MD5f364190706414020c02cf4d531e0229d
SHA15899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e
-
Filesize
13KB
MD5d0b6a2caec62f5477e4e36b991563041
SHA18396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA51269bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc
-
Filesize
11KB
MD53dfb82541979a23a9deb5fd4dcfb6b22
SHA15da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA2560cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82
-
Filesize
2.9MB
MD5fb20ae8ae8b82e53f8f234c1d0c186b7
SHA1c03b74f6544715b0f25d23ece700eb663b2f86fc
SHA256057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503
SHA51209a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429
-
Filesize
427KB
MD5db1e9807b717b91ac6df6262141bd99f
SHA1f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA2565a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3
-
Filesize
61KB
MD59d355f89a89d7837a03716b1d45dc5cc
SHA16affa5368018a5ad1ab4a68c512ed8db527dd3b4
SHA256167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492
SHA51276009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678
-
Filesize
41KB
MD510adbd3c3de885e0383a97626a71af34
SHA1392329c20383249c3632dba0e42fc017a62bc081
SHA256c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a
SHA512e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b
-
Filesize
1.3MB
MD5bc21f4d77a75822b27c3d1a598e8e29e
SHA14ca0afce4ee376041058e3791c10c2309ca7eddc
SHA25669af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668
SHA5120de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a
-
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize145KB
MD5a8492f295b92be062e26542af4d516b7
SHA12fef9e287ab6eaad60c5711f5e294cf83844399d
SHA2564c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597
SHA5125667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
75KB
MD58fdb26199d64ae926509f5606460f573
SHA17d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f