Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
-
Size
5.5MB
-
MD5
8827b26b1deb9ef9ede4fd262e8d7739
-
SHA1
1afa3fb51f00f7912fc2d9b3b1466dbc70087e07
-
SHA256
36b263ca84d8e15aa27c73f74bb99ffbc06fdefabc467c8a00d4eb195adbd6af
-
SHA512
21a4305f3dd462831da894f602c0d2fdbd4c1d45f6127009d39e18b5c7f37692592786fdbf467c597ee2ba9ff40db9e122a8f4a6fec4e1c4d673abee2561dc88
-
SSDEEP
98304:prI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/FK:KXGULEFrcPJzAxf4+FGV4
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe File opened for modification \??\PhysicalDrive0 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe File opened for modification \??\PhysicalDrive0 ksomisc.exe File opened for modification \??\PhysicalDrive0 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wpsupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wpsupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ksomisc.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Executes dropped EXE 42 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4360 ksomisc.exe 1204 ksomisc.exe 4884 ksomisc.exe 1756 wpscloudsvr.exe 4512 ksomisc.exe 2896 ksomisc.exe 2356 ksomisc.exe 1360 ksomisc.exe 1028 ksomisc.exe 4804 ksomisc.exe 884 ksomisc.exe 2832 ksomisc.exe 2240 ksomisc.exe 1848 ksomisc.exe 1136 ksomisc.exe 1720 ksomisc.exe 552 ksomisc.exe 4912 ksomisc.exe 5112 wps.exe 4208 wps.exe 1972 wps.exe 1204 ksomisc.exe 4792 ksomisc.exe 3596 ksomisc.exe 4800 ksomisc.exe 2392 ksomisc.exe 2020 ksomisc.exe 4088 ksomisc.exe 2060 ksomisc.exe 3328 wpsupdate.exe 1660 wpscloudsvr.exe 4356 wpsupdate.exe 3396 wpscloudsvr.exe 5064 ksomisc.exe 3892 ksomisc.exe 3224 ksomisc.exe 2996 ksomisc.exe 3672 ksomisc.exe 2548 ksomisc.exe 1432 ksomisc.exe -
Loads dropped DLL 64 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext regsvr32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" ksomisc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00024475-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000CD102-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209BD-0000-0000-C000-000000000046}\ = "Mailer" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024433-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000209E8-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{F08B45F1-8F23-4156-9D63-1820C0ED229A}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{3E061A7E-67AD-4EAA-BC1E-55057D5E596F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{0002E11A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.SLK\shell ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209C6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00020989-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020979-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002441D-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00020960-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209A7-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002449A-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000208D9-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002087F-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.Xlsm.6\shell ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.3\0 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002449A-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024452-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{0002084C-0000-0000-C000-000000000046}\ = "DisplayUnitLabel" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000208BA-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C0318-0000-0000-C000-000000000046}\ = "ShapeNode" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209E6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0C6FA8CA-E65F-4FC7-AB8F-20729EECBB14}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020937-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\DocObject\ ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000244B6-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C171C-0000-0000-C000-000000000046}\ = "ChartFillFormat" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020954-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C033D-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{36162C62-B59A-4278-AF3D-F2AC1EB999D9}\ = "LeaderLines" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{91493450-5A91-11CF-8700-00AA0060263B} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002E176-0000-0000-C000-000000000046}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.Backup\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\wps.exe\" /prometheus /et \"%1\"" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C03CF-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C037D-0000-0000-C000-000000000046}\ = "SharedWorkspaceFolder" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000209F7-0000-0000-C000-000000000046}\ = "ApplicationEvents" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WPS.PIC.orf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\photolaunch.exe\" /photo /view \"%1\"" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C0340-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\KWPS.Document.9\shell\print ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\PowerPoint.Template.8\DefaultIcon\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{5C635788-CFAC-4149-A9C3-589AC69C6207}\1.0\0\win32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ksoqing\shell\open 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{86488FB4-9633-4C93-8057-FC1FA7A847AE}\ = "ChartGroup" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024475-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{91493459-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002441C-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000244CC-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C0376-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020975-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ = "TableBackground" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" ksomisc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\FlightRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedDevices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Suspicious behavior: AddClipboardFormatListener 35 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4360 ksomisc.exe 1204 ksomisc.exe 4884 ksomisc.exe 4512 ksomisc.exe 2896 ksomisc.exe 2356 ksomisc.exe 1360 ksomisc.exe 1028 ksomisc.exe 4804 ksomisc.exe 884 ksomisc.exe 2832 ksomisc.exe 2240 ksomisc.exe 1848 ksomisc.exe 1136 ksomisc.exe 1720 ksomisc.exe 552 ksomisc.exe 4912 ksomisc.exe 1204 ksomisc.exe 4792 ksomisc.exe 3596 ksomisc.exe 4800 ksomisc.exe 2392 ksomisc.exe 2020 ksomisc.exe 4088 ksomisc.exe 2060 ksomisc.exe 3328 wpsupdate.exe 4356 wpsupdate.exe 5064 ksomisc.exe 3892 ksomisc.exe 3224 ksomisc.exe 2996 ksomisc.exe 3672 ksomisc.exe 2548 ksomisc.exe 1432 ksomisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 4360 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 1756 wpscloudsvr.exe 1756 wpscloudsvr.exe 4512 ksomisc.exe 4512 ksomisc.exe 4512 ksomisc.exe 4512 ksomisc.exe 4512 ksomisc.exe 4512 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeRestorePrivilege 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe Token: SeDebugPrivilege 4360 ksomisc.exe Token: SeLockMemoryPrivilege 4360 ksomisc.exe Token: SeDebugPrivilege 1204 ksomisc.exe Token: SeLockMemoryPrivilege 1204 ksomisc.exe Token: SeDebugPrivilege 4884 ksomisc.exe Token: SeLockMemoryPrivilege 4884 ksomisc.exe Token: SeDebugPrivilege 4512 ksomisc.exe Token: SeLockMemoryPrivilege 4512 ksomisc.exe Token: SeDebugPrivilege 2896 ksomisc.exe Token: SeLockMemoryPrivilege 2896 ksomisc.exe Token: SeDebugPrivilege 2356 ksomisc.exe Token: SeLockMemoryPrivilege 2356 ksomisc.exe Token: SeDebugPrivilege 1360 ksomisc.exe Token: SeLockMemoryPrivilege 1360 ksomisc.exe Token: SeDebugPrivilege 1028 ksomisc.exe Token: SeLockMemoryPrivilege 1028 ksomisc.exe Token: SeDebugPrivilege 4804 ksomisc.exe Token: SeLockMemoryPrivilege 4804 ksomisc.exe Token: SeDebugPrivilege 884 ksomisc.exe Token: SeLockMemoryPrivilege 884 ksomisc.exe Token: SeDebugPrivilege 2832 ksomisc.exe Token: SeLockMemoryPrivilege 2832 ksomisc.exe Token: SeDebugPrivilege 2240 ksomisc.exe Token: SeLockMemoryPrivilege 2240 ksomisc.exe Token: SeDebugPrivilege 1848 ksomisc.exe Token: SeLockMemoryPrivilege 1848 ksomisc.exe Token: SeDebugPrivilege 1136 ksomisc.exe Token: SeLockMemoryPrivilege 1136 ksomisc.exe Token: SeDebugPrivilege 1720 ksomisc.exe Token: SeLockMemoryPrivilege 1720 ksomisc.exe Token: SeDebugPrivilege 552 ksomisc.exe Token: SeLockMemoryPrivilege 552 ksomisc.exe Token: SeDebugPrivilege 4912 ksomisc.exe Token: SeLockMemoryPrivilege 4912 ksomisc.exe Token: SeDebugPrivilege 1204 ksomisc.exe Token: SeLockMemoryPrivilege 1204 ksomisc.exe Token: SeDebugPrivilege 4792 ksomisc.exe Token: SeLockMemoryPrivilege 4792 ksomisc.exe Token: SeDebugPrivilege 3596 ksomisc.exe Token: SeLockMemoryPrivilege 3596 ksomisc.exe Token: SeDebugPrivilege 4800 ksomisc.exe Token: SeLockMemoryPrivilege 4800 ksomisc.exe Token: SeDebugPrivilege 2392 ksomisc.exe Token: SeLockMemoryPrivilege 2392 ksomisc.exe Token: SeDebugPrivilege 2020 ksomisc.exe Token: SeLockMemoryPrivilege 2020 ksomisc.exe Token: SeDebugPrivilege 4088 ksomisc.exe Token: SeLockMemoryPrivilege 4088 ksomisc.exe Token: SeDebugPrivilege 2060 ksomisc.exe Token: SeLockMemoryPrivilege 2060 ksomisc.exe Token: SeLockMemoryPrivilege 3328 wpsupdate.exe Token: SeLockMemoryPrivilege 4356 wpsupdate.exe Token: SeDebugPrivilege 5064 ksomisc.exe Token: SeLockMemoryPrivilege 5064 ksomisc.exe Token: SeDebugPrivilege 3892 ksomisc.exe Token: SeLockMemoryPrivilege 3892 ksomisc.exe Token: SeDebugPrivilege 3224 ksomisc.exe Token: SeLockMemoryPrivilege 3224 ksomisc.exe Token: SeDebugPrivilege 2996 ksomisc.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 552 ksomisc.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 4360 ksomisc.exe 4360 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4884 ksomisc.exe 4512 ksomisc.exe 4512 ksomisc.exe 2896 ksomisc.exe 2896 ksomisc.exe 2356 ksomisc.exe 2356 ksomisc.exe 1360 ksomisc.exe 1360 ksomisc.exe 1028 ksomisc.exe 1028 ksomisc.exe 1028 ksomisc.exe 1028 ksomisc.exe 4804 ksomisc.exe 4804 ksomisc.exe 4804 ksomisc.exe 4804 ksomisc.exe 884 ksomisc.exe 884 ksomisc.exe 884 ksomisc.exe 884 ksomisc.exe 2832 ksomisc.exe 2832 ksomisc.exe 2240 ksomisc.exe 2240 ksomisc.exe 1848 ksomisc.exe 1848 ksomisc.exe 1136 ksomisc.exe 1136 ksomisc.exe 1720 ksomisc.exe 1720 ksomisc.exe 552 ksomisc.exe 552 ksomisc.exe 4912 ksomisc.exe 4912 ksomisc.exe 1204 ksomisc.exe 1204 ksomisc.exe 4792 ksomisc.exe 4792 ksomisc.exe 3596 ksomisc.exe 3596 ksomisc.exe 4800 ksomisc.exe 4800 ksomisc.exe 2392 ksomisc.exe 2392 ksomisc.exe 2020 ksomisc.exe 2020 ksomisc.exe 4088 ksomisc.exe 4088 ksomisc.exe 2060 ksomisc.exe 2060 ksomisc.exe 3328 wpsupdate.exe 3328 wpsupdate.exe 4356 wpsupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3428 wrote to memory of 3252 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 88 PID 3428 wrote to memory of 3252 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 88 PID 3428 wrote to memory of 3252 3428 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe 88 PID 4200 wrote to memory of 4360 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 108 PID 4200 wrote to memory of 4360 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 108 PID 4200 wrote to memory of 4360 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 108 PID 4200 wrote to memory of 1204 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 109 PID 4200 wrote to memory of 1204 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 109 PID 4200 wrote to memory of 1204 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 109 PID 4200 wrote to memory of 4884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 111 PID 4200 wrote to memory of 4884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 111 PID 4200 wrote to memory of 4884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 111 PID 3252 wrote to memory of 1756 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 112 PID 3252 wrote to memory of 1756 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 112 PID 3252 wrote to memory of 1756 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 112 PID 4200 wrote to memory of 4512 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 113 PID 4200 wrote to memory of 4512 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 113 PID 4200 wrote to memory of 4512 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 113 PID 4200 wrote to memory of 2896 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 116 PID 4200 wrote to memory of 2896 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 116 PID 4200 wrote to memory of 2896 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 116 PID 2896 wrote to memory of 3480 2896 ksomisc.exe 118 PID 2896 wrote to memory of 3480 2896 ksomisc.exe 118 PID 2896 wrote to memory of 3480 2896 ksomisc.exe 118 PID 2896 wrote to memory of 4296 2896 ksomisc.exe 139 PID 2896 wrote to memory of 4296 2896 ksomisc.exe 139 PID 2896 wrote to memory of 4296 2896 ksomisc.exe 139 PID 4296 wrote to memory of 3076 4296 regsvr32.exe 120 PID 4296 wrote to memory of 3076 4296 regsvr32.exe 120 PID 3252 wrote to memory of 2356 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 122 PID 3252 wrote to memory of 2356 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 122 PID 3252 wrote to memory of 2356 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 122 PID 3252 wrote to memory of 1360 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 124 PID 3252 wrote to memory of 1360 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 124 PID 3252 wrote to memory of 1360 3252 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 124 PID 4200 wrote to memory of 1028 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 126 PID 4200 wrote to memory of 1028 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 126 PID 4200 wrote to memory of 1028 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 126 PID 4200 wrote to memory of 4804 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 128 PID 4200 wrote to memory of 4804 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 128 PID 4200 wrote to memory of 4804 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 128 PID 4200 wrote to memory of 884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 130 PID 4200 wrote to memory of 884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 130 PID 4200 wrote to memory of 884 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 130 PID 4200 wrote to memory of 2832 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 132 PID 4200 wrote to memory of 2832 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 132 PID 4200 wrote to memory of 2832 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 132 PID 4200 wrote to memory of 2240 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 134 PID 4200 wrote to memory of 2240 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 134 PID 4200 wrote to memory of 2240 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 134 PID 4200 wrote to memory of 1848 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 136 PID 4200 wrote to memory of 1848 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 136 PID 4200 wrote to memory of 1848 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 136 PID 4200 wrote to memory of 1136 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 138 PID 4200 wrote to memory of 1136 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 138 PID 4200 wrote to memory of 1136 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 138 PID 4200 wrote to memory of 1720 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 140 PID 4200 wrote to memory of 1720 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 140 PID 4200 wrote to memory of 1720 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 140 PID 4200 wrote to memory of 552 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 142 PID 4200 wrote to memory of 552 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 142 PID 4200 wrote to memory of 552 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 142 PID 4200 wrote to memory of 4912 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 144 PID 4200 wrote to memory of 4912 4200 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe 144
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exeC:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"2⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"3⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"4⤵
- System Location Discovery: System Language Discovery
PID:3928
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"5⤵PID:3596
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:1432
-
-
-
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E581A2A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4360
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002079 -forceperusermode2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4512
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"3⤵
- System Location Discovery: System Language Discovery
PID:3480
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"4⤵PID:3076
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.000020792⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:552
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4208
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=5112 /prv4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4792
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4800
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"3⤵
- Modifies system executable filetype association
PID:4156
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020 -
C:\Windows\SysWOW64\openwith.exe"C:\Windows\SysWOW64\openwith.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3328 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:3672
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:2548
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4296
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1240
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f250f6f6db34808e67bc3a603312f93d
SHA19de21d268b014fd8e042699372c48696b4e824f9
SHA256d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc
SHA512ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839
-
Filesize
170KB
MD53e08e7ca30a665c5f0f9cf14e269f028
SHA1dcc612f071c7c7349ee0240291ff8bbf4a8a0c46
SHA256b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834
SHA5120f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
Filesize334B
MD52b42be10ddde43a0b6c2e461beae293a
SHA153888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize198KB
MD5b4b4c703bf5c6c0b5e9c57f05012d234
SHA1929aee49e800e88b4b01f4a449fa86715d882e42
SHA256910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA5122afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec
-
Filesize
434B
MD5e6c8b146640faf4ce794d6acef69ae92
SHA17545235bc328a49b1304b8c6ee5663d43a53cf0f
SHA256cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba
SHA512f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853
-
Filesize
177KB
MD5d84cb177f4720bed63a55f8072e368eb
SHA182c2caad9184fb2adbfb6a278d082cc1eb7852f8
SHA2569995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a
SHA512f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2
-
Filesize
434KB
MD5abf5ef5de210be0fd2c2a55ee365919b
SHA16a9104f07a773bed0de1dc3c6774683acc293a87
SHA256064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292
SHA5124fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a
-
Filesize
7.1MB
MD586110ee28cdb72aed1ec60ade94aeb56
SHA161457137d8748d477e2e7052c61d8c5b97dd2b70
SHA2569fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75
SHA51204700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917
-
Filesize
1.1MB
MD5fd7ef27a8780754d160ee2f70780e62f
SHA141c463d3a38704a2e3b83d01e73f225f14c1e219
SHA256bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd
SHA5122801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851
-
Filesize
23.1MB
MD58603a85045dee666f1d6005d9a2971e5
SHA11b4ed0a58d4fd64a6053ad5182bbae332eadde9d
SHA256ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a
SHA5124d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c
-
Filesize
24.7MB
MD5a5ecce5a776b0bae9c2cea3a0e42bf91
SHA19b0fcacd05b782d2d80dacde5b81c99ad3570935
SHA2561374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d
SHA512e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2
-
Filesize
9.9MB
MD59792e7046e96eef015b554282242434a
SHA187205b343319d7e65a532bc3f696c5719b3d7161
SHA2565e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39
SHA51218bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45
-
Filesize
3.1MB
MD57680119f3de2925404ae2615898ac605
SHA10b3f27db9fda31d2b525df17e139eff72b4a4c33
SHA256fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727
SHA51206714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc
-
Filesize
1.8MB
MD5aaa222915e0c9c32406b8b963019f97b
SHA13e45dc1d0b2d1ad602644bf349b3463b0c0f8f70
SHA25632067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942
SHA512656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e
-
Filesize
2.6MB
MD540e03f699a98ce5b07529824c1a894d2
SHA19e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0
SHA256fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc
SHA5128b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18
-
Filesize
513KB
MD5ee36a69232c862b84bbab1b5b60817a6
SHA1760e9635292bf68f5a2fd692395c9fb2f8372ad4
SHA25694101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601
SHA512205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c
-
Filesize
565KB
MD59a1e1d44af39f2b63ca7939041095b37
SHA152f5ee389357b73c7d7c97399cb736070515e434
SHA25660930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44
SHA5121d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
Filesize236KB
MD5c5ad1903526a9ca4c2f55cfea1e22778
SHA19c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA2565e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
Filesize1.4MB
MD5bd5884a7c9cc473a229b953154a52c52
SHA128bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da
SHA256d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb
SHA5125c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df
-
Filesize
904KB
MD593319d7add53c7c8c364012d5b61f3c6
SHA1b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39
SHA2569d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66
SHA512f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361
-
Filesize
499B
MD5183330feb3b9701fec096dcbfd8e67e4
SHA12f43379fefa868319a2baae7998cc62dc2fc201d
SHA256ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471
-
Filesize
558B
MD56baf4b256faf310dc9c3d4aeab8081f8
SHA106c1e6b0149e18c0c2b3c5ebbd8e425a6f3b9655
SHA256c37555d67ea1906a283b2c269c327846e35afe221a58927f4abfae38e2ab9301
SHA512eb45906b93ef894d389b8e09a60ad95156d4ba6d5f4c84024171882dc74707b1145bd35d178bf87db664e21fdcfe4b8213336e2051c8b64bfc0d8382be3b4edd
-
Filesize
2KB
MD551c7e50b04a3e400e232c6c2b302f009
SHA10ec530ef3dfe3e82cadff0e749dfe9c7c30798c8
SHA256ebf1df09945c286be60b6aed18a1d009dcb953cf302af926f2c86aa66996071c
SHA5123e80c169ca3459d9f5166d0ad9d88624b54bed7b2d578038c5c532207727ef72da05b7f2ee91396b8f7e2ef1a41c0d7ab6330a39f5c365663e750d8c377e90f5
-
Filesize
10KB
MD5b74d06f62cd28683b35052715273f70f
SHA128f0ff95c64faa31eafdc4e5e95cd7dbeb54ca22
SHA256144eb756de343fcb063034e9708cded52fe7f83ac3c94244a8de9baf95fe954a
SHA512fd20a4342d365396c950b7a1c1b9672b4151fc1097af3abff6af9e0723f8bfb0628ac8cf3cdbae466fcb78ad5520ce5ef7a76d76a86f889dfa98b9a4d2fc032d
-
Filesize
5.0MB
MD57fc37c5552ada776f404d3679b9b0c4c
SHA19fba9ce4f16c935c5b8fbef62102cc7693b05f7c
SHA2566f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf
SHA512d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e
-
Filesize
5.3MB
MD5be1f6ac2ccea42961c970aec7c496922
SHA1913e98b3d882bafd5d3ad33f06dccb33297c8668
SHA25630079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463
SHA512d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4
-
Filesize
392KB
MD570cee47ff4ea3ebf85f954fd9e827592
SHA14de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0
SHA256dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422
SHA5127c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d
-
Filesize
4.5MB
MD5a7d93abf2841afe86a08230fb2fc14db
SHA15b8874f7922f42dae7a9214370aef691e51d837a
SHA25698fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b
SHA512508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9
-
Filesize
217KB
MD50e15f2a1c22a7d0147ab6df139797a62
SHA10f8207e8a1c1ff692a70c1668b2bafd566ba1718
SHA2566740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f
SHA512981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26
-
Filesize
11KB
MD5b951011ba021c374455e8d1e18af84d2
SHA12d2e5e097ba5d92e6977cbb23afcc60b2e1d1c8c
SHA2561c057286bdf0cb90f7dd1fecf5e8afbcff1e27f2a94612967c0634ae639ca43d
SHA512bc7007ea97647b53a62561c7eafdc292478e2d1dd9cad9f84a3641eba5a57184274fd992f08a18c7f9afa82d5c37a15b6058f147e88623d5d0f5b962931b3850
-
Filesize
11KB
MD5c26d7d913fd245afc0f0d658595447dc
SHA1b5e00a0516b6c8c6f6a51ea40fae1beba3dd49ba
SHA25673e4264dd66696163fbbf868729841f2e9b86f5a59912e64fb9718a8c889a7aa
SHA512f7e22751671ef8f5d9768cb96733377cd5f38cdf241503234f69c4c6ac9348416c1a7622d7008fc1323a8673359db9e0bef29a4fec7853c5b5fe0b94e294471a
-
Filesize
10KB
MD57435c7831c7b3b47e55701e5c6cca67a
SHA18e0fcc170f5d66beea796b38cd544a045375204b
SHA2567ea1c2902a47fcd4a30180a4fe5ba5800fcad76b63da5ca4494e24954cea9bd3
SHA512453fde0df6bf8867dac38e1dd155300a4fb3ab88a20de3420f14ce2c05d890459b767671b23d21422c49ff1aebb9ea84b47bee0e2b2305a7af1314393de28267
-
Filesize
10KB
MD5d05f970cf2bdb0da0a1bf33cbc36b53d
SHA1505b7e21e237d7f8c454bdfb37b19932ae6980d3
SHA256273516d86d92975ba14f0f85bdce5b81f75f8ba76e08e33575c67f34d7236775
SHA51262b843ea200fee7868482de417048458c304a218ccacf44b70e0026bafc5e37aec4e7ad2c93513cfdbaa06e5ced7a826fa4701d27d6fb9eb81f183335fa182d0
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize10KB
MD5801750157960c928af876c3ec8dd4651
SHA11cb405eb7339ef121df51f5eba44e0b0177a76d3
SHA256be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd
SHA51270d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0
-
Filesize
14KB
MD57f3c75a78482e1ea21cdd81055b3135f
SHA1e0fa94d72626531aa971c3f1385f03ded6bde6a0
SHA25650347ffd660720cb1f41691be2793d00b169c864f7260dba1966a8ce5c9da943
SHA512925ee75ea5261de55d50e0c72de891833e20975b06cf9a1712385c077fef4548639d629354969cc8d18bc7664b6b3e03ffd11d08965e2fc94b3a11d3de6cf839
-
Filesize
11KB
MD5cd3cec3d65ae62fdf044f720245f29c0
SHA1c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f
-
Filesize
10KB
MD5b181124928d8eb7b6caa0c2c759155cb
SHA11aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA25624ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA5122a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f
-
Filesize
10KB
MD5d65ef6902015757c4b5e2b550c233e1d
SHA18b3a44beceb81727071337a9c9e7d0f3b1370455
SHA2569f2c87a8f541fd2e563778208c51f1e1852d4874571b6c5218066c0d58f9539c
SHA51201dc60cf2d8f902848a4234cb97b12329d813f836786407ee090083a9fa6750df7f6b4db6d3496a873fc352bba4edf109ea6d5811d124075d8f3d21008c96773
-
Filesize
11KB
MD58af9779906d36b71166a1e286c880d0d
SHA1deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3
SHA2562e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247
SHA512c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll
Filesize11KB
MD52f68cbb35c4c8e66c7d1a8b6c2079700
SHA12acb3bdfb7209323d586866e276e152d540d5ae3
SHA25696509b560bc604a30af26e08d6181d24dde1d51bf3654a12cd663a4ba1a11eac
SHA512d5886e85abb2b2b4dd0d632e56d7f056f58374b774769bc83dc84f734827fc87b91d85f609f6faae3e3c10703716b31d775ca7f5819a1f719a355a154a8cc1ec
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize11KB
MD557a0a074d52e17ce0fec69b4106bceb4
SHA1f6fbe3fe91884d3aa19ce93156423da55bdd6ced
SHA256f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834
SHA5128878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
Filesize13KB
MD521519f4d5f1fea53532a0b152910ef8b
SHA17833ac2c20263c8be42f67151f9234eb8e4a5515
SHA2565fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA51297211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417
-
Filesize
11KB
MD5ed6d551457d8a41b48bf017b79765e27
SHA1fa1609389caea2192f37017a23ec66e0c7f21d65
SHA2567733252eb66a1f3ce0efc5c375fadd6fa20a596324658c72d4e707f67909a433
SHA512a0fb6d1420c9a74266c368f246af06c173379c78f0ac6eb676aa95f5c41e9b12f52fc32ec79c89d1cf4ea67c0a8d092d0ca3caba651188598a52b1a2ff2f4c69
-
Filesize
10KB
MD5d8873df4158c5d449f13fd32442f10f5
SHA152c9bf4137e466124eab9aa639671795d05125f1
SHA25604532aed545a391a9e95d6103a816ec5d26df14af51f51dd0c649ddd57862e5c
SHA512e52876ca557755f50bdd3f9adf124a6a562798a725480238f747348c9f81539903f8a19eeb00a61e50f5fde6e7acc8e613b4ba94cc0d8facc2a91f98078997d3
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize11KB
MD50a34f6f91287218a1d451999957701b3
SHA105727b747b29845e025d2efde0e43ee36927439e
SHA256ed755e302cc2a9f5d3cc38140a90697c6bb24965acc6cdaddb63e95c3d2cb9bd
SHA51224d69f006cdfb91182e3cf9d917dad90353c5824cb19a00a9c4dc9feff0a279a32750a83774a5fe4f5e863386e23efb96a0b54a82c551f28822c6df410eebed8
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll
Filesize13KB
MD545578c4fafc6d9d5ab6e78a07827c19e
SHA12fdf383c24a697a0cc29231dab4d0a77207a29f1
SHA2566d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779
SHA51263ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
Filesize11KB
MD5b5c8334a10b191031769d5de01df9459
SHA183a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA2566c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA51259e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39
-
Filesize
10KB
MD51672a33674cbaf42b3eec20d52930bd9
SHA1f6e3da76e7de8a0d5f2e254b080ba973c92ba817
SHA256a99b485112b305623ec3c8ea0d4c9acfac0c5c66821d4a98cde7b43edb8b78fc
SHA5127b405243d474706c192e3e3b67ff61412adf41ea3bbbdcd5281aab2e7bed01c0c83a09fe60c0a0274d176a3aeb54dc0406dd044e002b8a447503c6dceb34d237
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize10KB
MD583cad14da9e92a8baf84a9afe2c9a5b0
SHA114c89f2ade657eb9249b95f9290fb4284908c9c6
SHA256a45a7143971e7f8bbe4d5667927e3ba0fe5d0c025ef5d776ff8a5826341a99cf
SHA512a5e93d77555e65bff5d47b2d6e9f7668cc6353a815cb1b11eaa6910594d53a9a2a538b8fe6b89cc2589f0dee321215039c012637809fc513b39fb902c02fdb4d
-
Filesize
10KB
MD5990cba52bd41c096c79778188dd63a15
SHA14a902cf7e4500c736ab4830e762cc1e18bb224ec
SHA2560c1cbbb4630d38632ed6a5bae9ba7e06fe19433f2a5bd548f3d73f315359d79e
SHA5121ed847989d02ef2c57edbd4726d818ea4bd811a255873765dd6090b9f8b204dff3610e887979ff8016c9b40bdcd2eab39ed064bb0f5f4447a94d56ab24e5183e
-
Filesize
12KB
MD569e1eddc7cd991f9f5db2fc6fdb6f46e
SHA16e8a961767f5ac308d569fd57e84b56b145c6c53
SHA256cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070
SHA51261935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f
-
Filesize
11KB
MD5eb6f7af7eed6aa9ab03495b62fd3563f
SHA15a60eebe67ed90f3171970f8339e1404ca1bb311
SHA256148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02
SHA512a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875
-
Filesize
11KB
MD5d4359815e2a7f10b4dd3ec3945eed45a
SHA14c83bd868c963c3afa29d92f75d185ad612c9b11
SHA256328dff5738e59b78e2951920efcc69e97548c8081f4714540b4e723443b8feb4
SHA51209ac1040e0a9edd8562c4b76430c82cc25ca94634a9c632803d8bc8eec6ac34d9ad5fb6509416bcd970accb6dce27730bcfeb1ce29d0920c84cc2daf5102d627
-
Filesize
11KB
MD586421619dad87870e5f3cc0beb1f7963
SHA12f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA25664eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31
-
Filesize
10KB
MD5e0727785f827d39eb167749227a316ed
SHA1c063a309aeff016f0a7d728c44fe169ce6da12c5
SHA256e4e4e55abf599d1a9ef7b95da0d7fd37f23a6cf1d368a77f88390eb2e0c1340d
SHA51283c2bc0f3049b619bf39a8cd6b5fa1ee1346ada2075e7495f264360a62f6fe7ddaafb382b60dfc18857c981c584c750a0b07c1d5d81410a80c296fa1b276ad0b
-
Filesize
11KB
MD5a76584c4923b1be911d9ece4ea439116
SHA1e025b0afc3b9a8046f83e5df718bac4ad05c9c2c
SHA2563181c520d7ab831c8ff330afe15ad717a5a1ed85b5d91b50b838be1e5c96d052
SHA5129e701066b81979318f41ac54ef4e1faf7a5e4cfa7482e61a60717fde10bba0851bf86f446f53a8bb26a1df95405cba0969648435fff3368bf9c2fec9ffc333be
-
Filesize
14KB
MD588f89d0f2bd5748ed1af75889e715e6a
SHA18ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA25602c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA5121f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
Filesize11KB
MD50979785e3ef8137cdd47c797adcb96e3
SHA14051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d
-
Filesize
12KB
MD5a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA15516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7
-
Filesize
11KB
MD5a6a9dfb31be2510f6dbfedd476c6d15a
SHA1cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec
-
Filesize
11KB
MD550b721a0c945abe3edca6bcee2a70c6c
SHA1f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840
-
Filesize
21KB
MD5461d5af3277efb5f000b9df826581b80
SHA1935b00c88c2065f98746e2b4353d4369216f1812
SHA256f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600
-
Filesize
18KB
MD5cce453c53f6dac9496bfa5415cc92731
SHA118fee669be0aa8a1839a75a167980f3f246c93a4
SHA25650752719a62627e7a8d2c26970fe59af839692d060c009fd0652325362752659
SHA5122cfe07c602c2e6205a2a2aa0de4ca8e105c9973d14b9d131a6372ba54697d17af7c84c898329425a3d19fd6c1434bcaf162ca0dbc5f0d20cb5973c63aee6b23a
-
Filesize
64KB
MD51f72bfe2fb7bb2a403efda6ee963d259
SHA1bcfb984771542970488bd6132dfa2746267b7fbc
SHA256601ccd84d252fc6e024b1319902e48cf98bb922bf7799384a85640d5ce6f4a16
SHA512e47c4c7a939d8e1022b6ce41ca15b1e3e4028f3bb302d1836bbdb3ec8d0c0141dd79ff147e6dc7fe56e09ab65dd15385362ea190d8792173674660a33acd5d61
-
Filesize
11KB
MD5108433c271995786a8289afd611ea28c
SHA1ba58c577311e39ff7e92a6be0dd6b80abfee6edc
SHA2564c058e5b8f83ce395a7004d8c4043735526de01c5764242d4ce4f683dcf1425c
SHA512800bd7a8702905fd9be83f17087440228f1428237d202160a5618aa6cfe1d1aad3c2608f324db38d235348bd2c8682f55d8ff52d13f9c37fa7c32d64a967db77
-
Filesize
15KB
MD54f06da894ea013a5e18b8b84a9836d5a
SHA140cf36e07b738aa8bba58bc5587643326ff412a9
SHA256876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA5121d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79
-
Filesize
16KB
MD55765103e1f5412c43295bd752ccaea03
SHA16913bf1624599e55680a0292e22c89cab559db81
SHA2568f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA5125844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0
-
Filesize
17KB
MD5f364190706414020c02cf4d531e0229d
SHA15899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e
-
Filesize
13KB
MD5d0b6a2caec62f5477e4e36b991563041
SHA18396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA51269bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc
-
Filesize
11KB
MD53dfb82541979a23a9deb5fd4dcfb6b22
SHA15da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA2560cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82
-
Filesize
238KB
MD54cc02ba9d10b18be0a02e3555aa78a98
SHA1d1f63d5aa58b0b7ea1925dd3447861b3faf8cd8e
SHA2561cddacbfb0c61652fcd543fef1e72cf649e27f3ee8f0d1c0d3988c0b5093e74e
SHA5129d345573ec7a55aa06414cdd5b23e9085d016f4e9eec10581f93109c12e51603f39b01ce5539f8b1d16086e92b94baba05ebe45e9556c96a6b439c97cb82dc3e
-
Filesize
1.2MB
MD556d017aef6a7c74cd136f2390b8ea6d3
SHA146cc837c64abe4e757e66a24ece56e3f975e9ef6
SHA256900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920
SHA5127b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49
-
Filesize
10KB
MD5c6133749ba22cf955b526d9bb3911f09
SHA1dc61798a22b3e6a9dfc66782a1020107eac0a9b5
SHA25639e9af87ed0eae0fa0c520088d7edc3e1edd3889f109ef1220467ffa0e425e36
SHA512b17b0e23e0dd52e6ac778f27916367199290fe7e25e6e2b444491e39a65b5dc3906d87037c1e6c73c35e6fd9e6302f5346a35fd2f280f4b8f31683ab46ab95bf
-
Filesize
1.4MB
MD531b9fc652711265760068b421aaabd52
SHA1ac6e6b4f16b706083f74d2294ea7fdc631ee8b0d
SHA25666732f097fe39d370410d85aec9a86f373638e7cac46473da799e9e666fc6c8b
SHA51258d8a4bfc8d60882e84a4c8270645623d2256c4a354d1db22791c2e98c3ada2a90bdb576f7ecdb0df5c420b13aa51ce6e728f24b941846e27de101b59e563cee
-
Filesize
2.9MB
MD5fb20ae8ae8b82e53f8f234c1d0c186b7
SHA1c03b74f6544715b0f25d23ece700eb663b2f86fc
SHA256057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503
SHA51209a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429
-
Filesize
8KB
MD51a59aa4f478d8725dcf575f481946c69
SHA1651aa42b7fbb7bcda13a903bfaef7c6b6046a24d
SHA25652a390608b1d0dcfb2931d61a334f103aabdf3ea7651b52c96aca40fd1c1fc0b
SHA5121afeeba858d0a46daa43fc52dcce711d510268f839d91152f8b7aae0c4e69652b8066ffdafde2bd4a430bf75446471bc730ce1e6d42ca04c990091f68dc1ea77
-
Filesize
427KB
MD5db1e9807b717b91ac6df6262141bd99f
SHA1f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA2565a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3
-
Filesize
61KB
MD59d355f89a89d7837a03716b1d45dc5cc
SHA16affa5368018a5ad1ab4a68c512ed8db527dd3b4
SHA256167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492
SHA51276009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678
-
Filesize
41KB
MD510adbd3c3de885e0383a97626a71af34
SHA1392329c20383249c3632dba0e42fc017a62bc081
SHA256c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a
SHA512e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b
-
Filesize
1.3MB
MD5bc21f4d77a75822b27c3d1a598e8e29e
SHA14ca0afce4ee376041058e3791c10c2309ca7eddc
SHA25669af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668
SHA5120de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
Filesize71KB
MD5bf10e0c48251234d831ffcd8cca82344
SHA1955d9cfa4e8dccff444a1f1ef505ccd41a75cd22
SHA2561a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617
SHA51215d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2
-
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize145KB
MD5a8492f295b92be062e26542af4d516b7
SHA12fef9e287ab6eaad60c5711f5e294cf83844399d
SHA2564c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597
SHA5125667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
75KB
MD58fdb26199d64ae926509f5606460f573
SHA17d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f
-
Filesize
3KB
MD5034f37e6536c1430d55f64168b7e9f05
SHA1dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA5120e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0
-
Filesize
121KB
MD52e743f3067fa75ff3bcad5baafafc8ea
SHA157ab56038ca28fcf2ce3e519a1e8f858c8bcaaff
SHA2563927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f
SHA51239fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6
-
Filesize
387B
MD5c38481658f9149eba0b9b8fcbcb16708
SHA1f16a40af74c0a04a331f7833251e3958d033d4da
SHA256d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2
SHA5128f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce
-
Filesize
433B
MD5a9519168ca6299588edf9bd39c10828a
SHA19f0635e39d50d15af39f5e2c52ad240a428b5636
SHA2569e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3
SHA5120607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4B6FAD4JNBSWVJBYOD3P.temp
Filesize8KB
MD53e4b62812d35ce058e85368d6a33c6d1
SHA1024ff6359220d53290c3b12a001426b60cb72f96
SHA2564c33d585e2998975a7649d6e307177479228f441a232ec343fadd7a949ba2d86
SHA512c10242ef31b856fcf6a3bedf89666adbc87933d0795eb459412e21039ee901b94f3acd82befdbbe024779fdb6b91c8ab5099fc42d02d0d2e49779651965f16fe
-
Filesize
98KB
MD5da920134e389419ded63add1e42380b5
SHA17d7758aa8d58812579abae5a14440213e224b40f
SHA25607eb063ab0b88d2acc639d9af81c5b546f1e274f05828ed34fea7e284fca897d
SHA512c07e8d452a5fc91ccc1164543b532ccd14ded5e61c47e36714d59dd4c9094ec00e5dd38dca70c65cd1e70e514f1779b4d45222f8530629e889cf6e0bca7d0504
-
Filesize
208B
MD565b67efc9a8edbe9063b115eae2f571b
SHA1fef4a93cef3f2a7a1276ead749790329c528ddcd
SHA256686a924eda07e08a5193ce254df47a7d610ff1522fd93f8c8d06eeecab5b6d21
SHA5120a7f651eb40757c1c32a4a8d4bd70a0dddb65e4c83d2ffa2d7d74eb315b8292d418a0e91a4f5044fee54c2f8749f5915dfd6853c1ed748332a4e2cef524ff115
-
Filesize
5KB
MD50d54b285d5f6b0584371fcff864c1846
SHA19314be4d7dab10ed8d6371ee175d4d64ad289d84
SHA25683c2d91af00e49c871a059493fbf3dde3f1315927fd0b813d0f743e336c853d5
SHA512461078f448b8c5b4706ac1a0d6942f6b52b13be46cb0a268d6aba1fe135e83233afc454382a1d048609549f84548e0a52f1a45f84e32226fe45f21e56c1aab75
-
Filesize
12KB
MD5fdbb706b75c988ba70502dfdd3345e6c
SHA1a426f055aaaa4bbbf1bb85a45a408e706a40b41b
SHA256f7e9782ac429ef5fba4978a8d414d53a7ecf736c56051267d2576dfa3cb9c259
SHA5127dc8e20318a14b8df568e58894ab7e7a730005ea6b0e02a551adbb9b6777e3c448893b65c1325b06c7c62f7d466061bb353bb60eac97cfb8d9413d504fd9e627
-
Filesize
12KB
MD59f7a1db7d1ffd171dbe61205fd88fde4
SHA152bc2b6315420f43a5afc2d12762bfd974ed39c2
SHA2568178732e5ca7bdaf9d2efda7d9a9c8b0db8ec1fe4b40dcf6440eaca88a81b209
SHA512ea4534a485fdcf7cf188777530194355f81a83f39020ad56a9d8868f43c09a25d776c753ed06bdaa14214f308e4651654694008c1a5b08b9cb3fac6db2101ad0
-
Filesize
31KB
MD54376903a154c82b4cdaa6b0727ed8da9
SHA1d6a8d55c9a113c127e380332fa5f14f7b90b6fdc
SHA2568523e7c2789c8662a70ddbe38024cf7b2c926410d56c8c71fa3930ba50e3a3d8
SHA512ae3bf3f03bd55e3d590bd81deec679f7ef64bc04596d4b5c1c38fea5f2342a3244749b0a35612d7df0563aecbc3449cef897fb1ae7e015bd0f31a41edad02c78
-
Filesize
49KB
MD5ca4b7ed25edc7ac8f37184b28d3db11d
SHA12662dd46067cb5b9c8f724c8ee7c28ebcd5466b9
SHA25604b02cea6a48ac18bc2c5d96fdb8c25982e8f068e09d168c7135343441639133
SHA512ed839dafef72df4658884c5f5b9d6ba127bd03b4e5fa5d4592af14f385db772d53ba66a6b06ef9d07a066bbcdc9dd214013d7615f8ef6e2bd1b1d821f8337163
-
Filesize
50KB
MD55d0df2bfae6f292bf4f6bb4a021c4cee
SHA1db2a6d8692b80b28e1e8d8532bad19a167ca47a4
SHA2562371173980570edeede479d105433a4e41b7feb5ff1602b3eb31b31717e25a58
SHA51215cbe77b44bc3e6d015a06b9fc71a391fd7c11948f499cdad5313595298abf8da36d8ada60f7cea7719e7ba3b9d42ff78cd45d1554cf80abc0547463d8786fd2
-
Filesize
59KB
MD5701d583f23443f9687bb79e33c288ede
SHA1977240c22ae1b715ab30d5e5d9217c70c88871a2
SHA2566ec5a068b22c329a990d22c0cb238f5192996256d33d1cf57dca472ba975842c
SHA512b2236abdd71fea5a03250669b10f4185add7aea5fb6fbe1f5035759be30a83d326ab5d136ecfae7da9e6ce43fb4d6b17a20a5b17e772f2e86b8deaa94df088e3
-
Filesize
1KB
MD502d85dc0a7b26e959d1f57bf32099847
SHA1fa4a17ab075e7422bde3140db13907ba83aa0aa1
SHA256b269b0783dd205f8dfe364556ed22cc51810d6645829609e735c194ef1b58bc9
SHA512e4e81fa504925bfe02ef69253772598490b3b22e0f2f33d44924e8d75f8928b8d681033ff8bf32b32fcb96fbc36ba7cb0133152d9f6fb11fc7204bcbc5f1b9f6
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat
Filesize64KB
MD5e93de07d62bf1612c69eeeb726e57dee
SHA1208068708906987d2b5673148be0f303e02e00d7
SHA256d2b60750d7c871811df21830ac8857f97bdbd40c20387242633322d70b69d836
SHA5127ce52c7f49c853ff556b27ca662ba79a344aa75e0d133fa4ba3cdd2fd22c7dfbd3e90faa71f5bce8f838efd13b2fe97a36fb6c8590812f3227d91846aaca9961