d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Size

5.5MB
MD5

8d76bb0011099f752d1df93ad3f697f2
SHA1

467d3da8b2fa7ff0d2958d30c3345c109647e09d
SHA256

d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772
SHA512

1526f49a0b14ed46c0fc68781e71009121e6f9807a3c262d6fa50c69fb37f59a711c9ae383ed8f30ed14b60456aafc80bfac10fccf90ef6fc27d4191693ddc8d
SSDEEP

98304:irI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/vr:RXGULEFrcPJzAxf4+FGVD

Score

6^/10

bootkit discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
File opened for modification	\??\PhysicalDrive0	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exeksomisc.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exewpsupdate.exeksomisc.exeksomisc.exewpsupdate.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

description	ioc	process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Drops file in Windows directory 1 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

description ioc process

File opened for modification C:\Windows\ 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

description	ioc	process
File opened for modification	C:\Windows\	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Executes dropped EXE 42 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exeksomisc.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewps.exewps.exewps.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpscloudsvr.exewpsupdate.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

pid	process
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2128	ksomisc.exe
4088	ksomisc.exe
2832	ksomisc.exe
4904	wpscloudsvr.exe
2432	ksomisc.exe
2748	ksomisc.exe
4476	ksomisc.exe
1496	ksomisc.exe
1960	ksomisc.exe
4184	ksomisc.exe
4600	ksomisc.exe
2400	ksomisc.exe
1384	ksomisc.exe
1920	ksomisc.exe
460	ksomisc.exe
1308	ksomisc.exe
4244	ksomisc.exe
2608	ksomisc.exe
2288	wps.exe
5008	wps.exe
2456	wps.exe
2020	ksomisc.exe
4476	ksomisc.exe
2964	ksomisc.exe
2128	ksomisc.exe
740	ksomisc.exe
2552	ksomisc.exe
3668	ksomisc.exe
4964	ksomisc.exe
4400	wpsupdate.exe
2128	wpscloudsvr.exe
3956	wpsupdate.exe
2020	wpscloudsvr.exe
3484	ksomisc.exe
452	ksomisc.exe
2132	ksomisc.exe
3152	ksomisc.exe
3544	ksomisc.exe
5008	ksomisc.exe
5000	ksomisc.exe

Loads dropped DLL 64 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exe

pid	process
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wpscloudsvr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ksomisc.exeopenwith.exeksomisc.exeksomisc.exeksomisc.exed19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exeksomisc.exeksomisc.exewpsupdate.exeregsvr32.exeksomisc.exewps.exeksomisc.exeregsvr32.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpscloudsvr.exeksomisc.exeregsvr32.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exeksomisc.exewps.exeksomisc.exeksomisc.exeksomisc.exewps.exeregsvr32.exeksomisc.exeksomisc.exeregsvr32.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exewpscloudsvr.exeksomisc.exeregsvr32.exewpscloudsvr.exeksomisc.exeksomisc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ksomisc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe

Modifies registry class 64 IoCs

Processes:

ksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024446-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00020890-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.Dotx.6\shell\new\ = "&New"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.PIC.mrw\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\photolaunch.exe\" /photo /view \"%1\""	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002093C-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C03A0-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{CEBD4184-4E6D-4FC6-A42D-2142B1B76AF5}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{F658E3EC-F2D3-4272-AA49-4EC155D5AA76}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244A9-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0379-0000-0000-C000-000000000046}\ = "SharedWorkspaceTask"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{F258DE05-C41B-4C33-A778-F0D3F98CEEB3}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{9149349B-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002445E-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000208B2-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\ = "Microsoft Office 12.0 Object Library"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\ = "PrintRanges"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024432-0000-0000-C000-000000000046}\ = "AutoFilter"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.slk\ = "ET.SLK"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{D36C1F42-7044-4B9E-9CA3-85919454DB04}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{0002098A-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000209D7-0000-0000-C000-000000000046}\ = "EmailAuthor"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{52CA3750-AAF7-4525-B401-F8BACC417C33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000244C6-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024478-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024450-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0361-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0936-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{B184502B-587A-4C6A-8DC4-ECE4354883C6}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000209B4-0000-0000-C000-000000000046}\ = "Version"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{3D2F865B-E2DB-4896-BC35-6A006DF896DC}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0326-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000208B1-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPS.Doc.6\ = "DOC Document"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{0002094E-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{9E116A3C-2C6D-4D07-93AF-8675D452FCA2}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000244DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024499-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WPP.POT.6\shell\print	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.pps\ = "WPP.PPT.6"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInInstance\CLSID\ = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000209E4-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024457-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00020993-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{15EBE471-0182-4CCE-98D0-B6614D1C32A1}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{CDE12CD8-767B-4757-8A31-13029A086305}\ = "SmartTagActions"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{000C1730-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\TypeLib\{5C635788-CFAC-4149-A9C3-589AC69C6207}\1.0\0	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\AuxUserType\3\ = "WPS Equation 3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{86905AC9-33F3-4A88-96C8-B289B0390BCA}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{00024480-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\Interface\{00024488-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C1718-0000-0000-C000-000000000046}\ = "ChartFont"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3\FLAGS\ = "0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Interface\{000C0351-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100380036005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\KWPS.Document.9\shell	ksomisc.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exe060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TrustedDevices	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\FlightRoot	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\SystemCertificates\TestSignRoot	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious behavior: AddClipboardFormatListener 34 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpsupdate.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

pid	process
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2128	ksomisc.exe
4088	ksomisc.exe
2832	ksomisc.exe
2432	ksomisc.exe
2748	ksomisc.exe
4476	ksomisc.exe
1496	ksomisc.exe
1960	ksomisc.exe
4184	ksomisc.exe
4600	ksomisc.exe
2400	ksomisc.exe
1384	ksomisc.exe
1920	ksomisc.exe
460	ksomisc.exe
1308	ksomisc.exe
4244	ksomisc.exe
2608	ksomisc.exe
2020	ksomisc.exe
4476	ksomisc.exe
2964	ksomisc.exe
2128	ksomisc.exe
740	ksomisc.exe
2552	ksomisc.exe
3668	ksomisc.exe
4400	wpsupdate.exe
3956	wpsupdate.exe
3484	ksomisc.exe
452	ksomisc.exe
2132	ksomisc.exe
3152	ksomisc.exe
3544	ksomisc.exe
5008	ksomisc.exe
5000	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
4904	wpscloudsvr.exe
4904	wpscloudsvr.exe
2432	ksomisc.exe
2432	ksomisc.exe
2432	ksomisc.exe
2432	ksomisc.exe
2432	ksomisc.exe
2432	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

pid process

2272 060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeRestorePrivilege	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
Token: SeDebugPrivilege	2128	ksomisc.exe
Token: SeLockMemoryPrivilege	2128	ksomisc.exe
Token: SeDebugPrivilege	4088	ksomisc.exe
Token: SeLockMemoryPrivilege	4088	ksomisc.exe
Token: SeDebugPrivilege	2832	ksomisc.exe
Token: SeLockMemoryPrivilege	2832	ksomisc.exe
Token: SeDebugPrivilege	2432	ksomisc.exe
Token: SeLockMemoryPrivilege	2432	ksomisc.exe
Token: SeDebugPrivilege	2748	ksomisc.exe
Token: SeLockMemoryPrivilege	2748	ksomisc.exe
Token: SeDebugPrivilege	4476	ksomisc.exe
Token: SeLockMemoryPrivilege	4476	ksomisc.exe
Token: SeDebugPrivilege	1496	ksomisc.exe
Token: SeLockMemoryPrivilege	1496	ksomisc.exe
Token: SeDebugPrivilege	1960	ksomisc.exe
Token: SeLockMemoryPrivilege	1960	ksomisc.exe
Token: SeDebugPrivilege	4184	ksomisc.exe
Token: SeLockMemoryPrivilege	4184	ksomisc.exe
Token: SeDebugPrivilege	4600	ksomisc.exe
Token: SeLockMemoryPrivilege	4600	ksomisc.exe
Token: SeDebugPrivilege	2400	ksomisc.exe
Token: SeLockMemoryPrivilege	2400	ksomisc.exe
Token: SeDebugPrivilege	1384	ksomisc.exe
Token: SeLockMemoryPrivilege	1384	ksomisc.exe
Token: SeDebugPrivilege	1920	ksomisc.exe
Token: SeLockMemoryPrivilege	1920	ksomisc.exe
Token: SeDebugPrivilege	460	ksomisc.exe
Token: SeLockMemoryPrivilege	460	ksomisc.exe
Token: SeDebugPrivilege	1308	ksomisc.exe
Token: SeLockMemoryPrivilege	1308	ksomisc.exe
Token: SeDebugPrivilege	4244	ksomisc.exe
Token: SeLockMemoryPrivilege	4244	ksomisc.exe
Token: SeDebugPrivilege	2608	ksomisc.exe
Token: SeLockMemoryPrivilege	2608	ksomisc.exe
Token: SeDebugPrivilege	2020	ksomisc.exe
Token: SeLockMemoryPrivilege	2020	ksomisc.exe
Token: SeDebugPrivilege	4476	ksomisc.exe
Token: SeLockMemoryPrivilege	4476	ksomisc.exe
Token: SeDebugPrivilege	2964	ksomisc.exe
Token: SeLockMemoryPrivilege	2964	ksomisc.exe
Token: SeDebugPrivilege	2128	ksomisc.exe
Token: SeLockMemoryPrivilege	2128	ksomisc.exe
Token: SeDebugPrivilege	740	ksomisc.exe
Token: SeLockMemoryPrivilege	740	ksomisc.exe
Token: SeDebugPrivilege	2552	ksomisc.exe
Token: SeLockMemoryPrivilege	2552	ksomisc.exe
Token: SeDebugPrivilege	3668	ksomisc.exe
Token: SeLockMemoryPrivilege	3668	ksomisc.exe
Token: SeLockMemoryPrivilege	4400	wpsupdate.exe
Token: SeLockMemoryPrivilege	3956	wpsupdate.exe
Token: SeDebugPrivilege	3484	ksomisc.exe
Token: SeLockMemoryPrivilege	3484	ksomisc.exe
Token: SeDebugPrivilege	452	ksomisc.exe
Token: SeLockMemoryPrivilege	452	ksomisc.exe
Token: SeDebugPrivilege	2132	ksomisc.exe
Token: SeLockMemoryPrivilege	2132	ksomisc.exe
Token: SeDebugPrivilege	3152	ksomisc.exe
Token: SeLockMemoryPrivilege	3152	ksomisc.exe
Token: SeDebugPrivilege	3544	ksomisc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exeksomisc.exed19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe

pid	process
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
4244	ksomisc.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
2128	ksomisc.exe
2128	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
4088	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2832	ksomisc.exe
2432	ksomisc.exe
2432	ksomisc.exe
2748	ksomisc.exe
2748	ksomisc.exe
4476	ksomisc.exe
4476	ksomisc.exe
1496	ksomisc.exe
1496	ksomisc.exe
1960	ksomisc.exe
1960	ksomisc.exe
1960	ksomisc.exe
1960	ksomisc.exe
4184	ksomisc.exe
4184	ksomisc.exe
4184	ksomisc.exe
4184	ksomisc.exe
4600	ksomisc.exe
4600	ksomisc.exe
4600	ksomisc.exe
4600	ksomisc.exe
2400	ksomisc.exe
2400	ksomisc.exe
1384	ksomisc.exe
1384	ksomisc.exe
1920	ksomisc.exe
1920	ksomisc.exe
460	ksomisc.exe
460	ksomisc.exe
1308	ksomisc.exe
1308	ksomisc.exe
4244	ksomisc.exe
4244	ksomisc.exe
2608	ksomisc.exe
2608	ksomisc.exe
2020	ksomisc.exe
2020	ksomisc.exe
4476	ksomisc.exe
4476	ksomisc.exe
2964	ksomisc.exe
2964	ksomisc.exe
2128	ksomisc.exe
2128	ksomisc.exe
740	ksomisc.exe
740	ksomisc.exe
2552	ksomisc.exe
2552	ksomisc.exe
3668	ksomisc.exe
3668	ksomisc.exe
4400	wpsupdate.exe
4400	wpsupdate.exe
3956	wpsupdate.exe
3956	wpsupdate.exe
3484	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 464 wrote to memory of 2272	464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
PID 464 wrote to memory of 2272	464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
PID 464 wrote to memory of 2272	464	d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
PID 3096 wrote to memory of 2128	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2128	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2128	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4088	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4088	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4088	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2832	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2832	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2832	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 4904	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	wpscloudsvr.exe
PID 2272 wrote to memory of 4904	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	wpscloudsvr.exe
PID 2272 wrote to memory of 4904	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	wpscloudsvr.exe
PID 3096 wrote to memory of 2432	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2432	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2432	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2748	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2748	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2748	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2748 wrote to memory of 2776	2748	ksomisc.exe	regsvr32.exe
PID 2748 wrote to memory of 2776	2748	ksomisc.exe	regsvr32.exe
PID 2748 wrote to memory of 2776	2748	ksomisc.exe	regsvr32.exe
PID 2748 wrote to memory of 3304	2748	ksomisc.exe	regsvr32.exe
PID 2748 wrote to memory of 3304	2748	ksomisc.exe	regsvr32.exe
PID 2748 wrote to memory of 3304	2748	ksomisc.exe	regsvr32.exe
PID 3304 wrote to memory of 1308	3304	regsvr32.exe	ksomisc.exe
PID 3304 wrote to memory of 1308	3304	regsvr32.exe	ksomisc.exe
PID 2272 wrote to memory of 4476	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 4476	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 4476	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 1496	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 1496	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 2272 wrote to memory of 1496	2272	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1960	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1960	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1960	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4184	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4184	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4184	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4600	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4600	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4600	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2400	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2400	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2400	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1384	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1384	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1384	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1920	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1920	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1920	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 460	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 460	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 460	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1308	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1308	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 1308	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4244	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4244	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 4244	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2608	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe
PID 3096 wrote to memory of 2608	3096	060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe	ksomisc.exe

C:\Users\Admin\AppData\Local\Temp\d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
"C:\Users\Admin\AppData\Local\Temp\d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
2⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
3⤵
- System Location Discovery: System Language Discovery
PID:400

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
4⤵
- System Location Discovery: System Language Discovery
PID:1140

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
4⤵
- System Location Discovery: System Language Discovery
PID:3320

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
5⤵
PID:4904

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:5000

C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E57C89F -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002083 -forceperusermode
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
3⤵
- System Location Discovery: System Language Discovery
PID:2776

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
4⤵
PID:1308

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=1
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.00002083
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:460

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2288 /prv
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
2⤵
- System Location Discovery: System Language Discovery
PID:400

C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
3⤵
- Modifies system executable filetype association
PID:1376

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=1
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\SysWOW64\openwith.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:2752

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
f250f6f6db34808e67bc3a603312f93d

SHA1
9de21d268b014fd8e042699372c48696b4e824f9

SHA256
d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc

SHA512
ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5XmlKso.dll

Filesize
170KB

MD5
3e08e7ca30a665c5f0f9cf14e269f028

SHA1
dcc612f071c7c7349ee0240291ff8bbf4a8a0c46

SHA256
b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834

SHA512
0f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

Filesize
434B

MD5
e6c8b146640faf4ce794d6acef69ae92

SHA1
7545235bc328a49b1304b8c6ee5663d43a53cf0f

SHA256
cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba

SHA512
f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kbase.dll

Filesize
177KB

MD5
d84cb177f4720bed63a55f8072e368eb

SHA1
82c2caad9184fb2adbfb6a278d082cc1eb7852f8

SHA256
9995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a

SHA512
f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kdownload.dll

Filesize
434KB

MD5
abf5ef5de210be0fd2c2a55ee365919b

SHA1
6a9104f07a773bed0de1dc3c6774683acc293a87

SHA256
064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292

SHA512
4fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kprometheus.dll

Filesize
7.1MB

MD5
86110ee28cdb72aed1ec60ade94aeb56

SHA1
61457137d8748d477e2e7052c61d8c5b97dd2b70

SHA256
9fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75

SHA512
04700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll

Filesize
1.1MB

MD5
fd7ef27a8780754d160ee2f70780e62f

SHA1
41c463d3a38704a2e3b83d01e73f225f14c1e219

SHA256
bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd

SHA512
2801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll

Filesize
23.1MB

MD5
8603a85045dee666f1d6005d9a2971e5

SHA1
1b4ed0a58d4fd64a6053ad5182bbae332eadde9d

SHA256
ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a

SHA512
4d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kso.dll

Filesize
24.7MB

MD5
a5ecce5a776b0bae9c2cea3a0e42bf91

SHA1
9b0fcacd05b782d2d80dacde5b81c99ad3570935

SHA256
1374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d

SHA512
e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksolite.dll

Filesize
9.9MB

MD5
9792e7046e96eef015b554282242434a

SHA1
87205b343319d7e65a532bc3f696c5719b3d7161

SHA256
5e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39

SHA512
18bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

Filesize
3.1MB

MD5
7680119f3de2925404ae2615898ac605

SHA1
0b3f27db9fda31d2b525df17e139eff72b4a4c33

SHA256
fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727

SHA512
06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksouil.dll

Filesize
1.8MB

MD5
aaa222915e0c9c32406b8b963019f97b

SHA1
3e45dc1d0b2d1ad602644bf349b3463b0c0f8f70

SHA256
32067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942

SHA512
656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcurl.dll

Filesize
513KB

MD5
ee36a69232c862b84bbab1b5b60817a6

SHA1
760e9635292bf68f5a2fd692395c9fb2f8372ad4

SHA256
94101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601

SHA512
205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
bd5884a7c9cc473a229b953154a52c52

SHA1
28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da

SHA256
d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb

SHA512
5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscloudsvr.exe

Filesize
904KB

MD5
93319d7add53c7c8c364012d5b61f3c6

SHA1
b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39

SHA256
9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66

SHA512
f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

Filesize
558B

MD5
6baf4b256faf310dc9c3d4aeab8081f8

SHA1
06c1e6b0149e18c0c2b3c5ebbd8e425a6f3b9655

SHA256
c37555d67ea1906a283b2c269c327846e35afe221a58927f4abfae38e2ab9301

SHA512
eb45906b93ef894d389b8e09a60ad95156d4ba6d5f4c84024171882dc74707b1145bd35d178bf87db664e21fdcfe4b8213336e2051c8b64bfc0d8382be3b4edd

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

Filesize
675B

MD5
848b70a0511ef33634fc4e7fb9461ddd

SHA1
98efe18cbaa4bc0d9e1ff5288940e71d7ae552fe

SHA256
b1821b7247fac01da188196adddfdcd54d8add7a40de9ba8899caf18494c8069

SHA512
1864cbfff734c1aab82707ccdd5ba40a4699571c2381cdba9dace5d6d699d0ae25023cea36b11aabdbb51ecd840bbc2e50b53a3f1240c50d2f7db0b8a30cd964

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
aa6f12e47949d0935f511c178eb5d529

SHA1
a5da5b6a0d02ae3aadc57932d6ebaeb76ce32e55

SHA256
28740298935dab82ebfb07559397a358b3f9c0df75c73c6bffee4ac30ce9dd59

SHA512
58b9f8632551f4671de3ba576cceff9d62c58ab9b0e49013ac21f5951b6f4538985b3794b0849a6b8a3e1f2e727de853492113f1b0e1869f0c1893a76881fa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
7fc37c5552ada776f404d3679b9b0c4c

SHA1
9fba9ce4f16c935c5b8fbef62102cc7693b05f7c

SHA256
6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf

SHA512
d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
be1f6ac2ccea42961c970aec7c496922

SHA1
913e98b3d882bafd5d3ad33f06dccb33297c8668

SHA256
30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463

SHA512
d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
70cee47ff4ea3ebf85f954fd9e827592

SHA1
4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0

SHA256
dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422

SHA512
7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
a7d93abf2841afe86a08230fb2fc14db

SHA1
5b8874f7922f42dae7a9214370aef691e51d837a

SHA256
98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b

SHA512
508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
0e15f2a1c22a7d0147ab6df139797a62

SHA1
0f8207e8a1c1ff692a70c1668b2bafd566ba1718

SHA256
6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f

SHA512
981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
56d017aef6a7c74cd136f2390b8ea6d3

SHA1
46cc837c64abe4e757e66a24ece56e3f975e9ef6

SHA256
900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

SHA512
7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
fb20ae8ae8b82e53f8f234c1d0c186b7

SHA1
c03b74f6544715b0f25d23ece700eb663b2f86fc

SHA256
057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503

SHA512
09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
9d355f89a89d7837a03716b1d45dc5cc

SHA1
6affa5368018a5ad1ab4a68c512ed8db527dd3b4

SHA256
167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492

SHA512
76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
10adbd3c3de885e0383a97626a71af34

SHA1
392329c20383249c3632dba0e42fc017a62bc081

SHA256
c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a

SHA512
e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
bc21f4d77a75822b27c3d1a598e8e29e

SHA1
4ca0afce4ee376041058e3791c10c2309ca7eddc

SHA256
69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668

SHA512
0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
71KB

MD5
bf10e0c48251234d831ffcd8cca82344

SHA1
955d9cfa4e8dccff444a1f1ef505ccd41a75cd22

SHA256
1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617

SHA512
15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
a8492f295b92be062e26542af4d516b7

SHA1
2fef9e287ab6eaad60c5711f5e294cf83844399d

SHA256
4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597

SHA512
5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c5c1\CONTROL\product.dat

Filesize
121KB

MD5
2e743f3067fa75ff3bcad5baafafc8ea

SHA1
57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff

SHA256
3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f

SHA512
39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7N4UE5AMD95A1QEC2ZE.temp

Filesize
8KB

MD5
8bf1af2e9e610af27fe4d0907d68824b

SHA1
ac10ee053d3e81164049c87729d3861771559d41

SHA256
88ef707c06547956e3180592d154a0d3e2fdc25b701872946974f2e5ea4739b1

SHA512
780a86adaea864682d191b80e97bd4cabcddc471c762fcaf8d6b15dd5a79e08b8fdad771e3698eb3fb27da6295bb765832fafb3765a7e47dfa4855e406b92d33

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

Filesize
99KB

MD5
1b40250ccb89ca568feed0cce5c6e8a3

SHA1
dd5a97bc9681e012e1ed7979f3ecea43ca18f74e

SHA256
e84499e80398709501b955aac237abc3a2cc677bf0d594cdfe41d0dbc1480cd6

SHA512
1534e47c14ba53df760d30b9d8dfd67d0cec7988518d40455a2305718c1ed12c45014ba810e916ff478f3654f628a0edf3427ed9ae7296a4ad4e915812786453

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
208B

MD5
2e415937959417cc92cf54088fbd29cd

SHA1
310f7e475f1479cdb848aef837f72d72afea5dcc

SHA256
f3341ceaa780a351ab47c9087ded1e97e2b1e7f702de6678f2f59597b2ea70be

SHA512
429ec6dd9933950b4f9637965e1cd75e834b6b24c26fc6efe2af1778395f469137351c19c44b49f82899f5fe7b5b92ae76219718d3240b59b0ab06591f9ca375

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_11_01.log

Filesize
5KB

MD5
3bb4974118c9e8a959630149ac450751

SHA1
b3d9069138f3e9c040ca75c4c400f8a14a486120

SHA256
44e0dd66974be1881a73784b0889e2ac39e9192ccc20d0f2e65daf88d5eefe47

SHA512
e177c6aa65d64f12123c26edb3bf52fa5e0f9acb959627e50be2536183d6e681c58583e57a414b6e7ee21afec1a9de8291c89535faf008425f1faf197511ff48

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
dd99c7439cc7a3f1c80dcd753320e555

SHA1
2c25c4c2b3f02928d8488324d3b5834cc8e9ce03

SHA256
6b70cc376ae8286d41a28ce8ef682316eb4e4fcdd9c5cfbd9ff06820a5d099c5

SHA512
9db11dfc4236ffcd3b1611d1409a2b924cd0fe29d0ea3389b0a0240a107fdf9261b5ff2ca8c419636e0bfcd720ca1429a33fabce551eaa05b230677700579e96

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
c314a39dd38c0e300e6a67dcef58282a

SHA1
6e7a3a991562e6a3f6f075b8aee0deb621dc2230

SHA256
653b25b3b5459669beec1a35fcb78fac436c5b03058f096a23f9bad3e212be7a

SHA512
19a23e3c1cf5ed29620eb36bf99778e4059ae16fb0fcb9eeae8abe7a8f842be9be08130a8147410a6706910d501d600118dab55823271c15beecc540fb6974e7

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
31KB

MD5
c1e11f5f45105b542b8888b17274fa04

SHA1
643b12cbfb9bc186e8f1ab25b79843f382959493

SHA256
20d8d31454b9ec9f8a902ef692f92454e69df6a9c6197f8ec09d694eeee058c4

SHA512
e51e43b3d9f91dee102f75f5e689ee77b437383b5f447fb2b6519981dd09b62498f6dd4dffd1cb73ccec0bc86289b8b1a0c035a021a2584668f48774b06e28b8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
49KB

MD5
101548944fa03c975a6f508b3f416f53

SHA1
1ae554ff0cc4725875ad073ddca1ce58b9d32cef

SHA256
0846d90e2d34ea7e5e46e7b9612b5f8cc7064e3b844ff5a0087ba45b9e912125

SHA512
e3cb35e44f264506e27c0fd2fd39e0a4aa01c86fb1a17d31c94563e662fd2922c79062dd98e5ceb15873046f2c24f310cd17439d35887d31d3c6ca47dac22779

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
49KB

MD5
6ae9bb6969457a19479899e2107b2756

SHA1
e907165eab53ebaadd2bdba8db515d3e90b408ec

SHA256
f327981616e98f550d3c23cd8e41446fcd21c628593d0082debdc0b5c7400330

SHA512
66647a54e58f62e73d88b53fe10637b24d495a7aea14af8390ad15fd32a8c8296d81b2afe34d2aed4c2df2874ade70446fee8f03190c8975fc9866bcf5fccff0

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
59KB

MD5
58f5c7b961d37e0e29e64698edcf769e

SHA1
58778b5d22bd7bc641f9a7ae8a423f89f7ea7ddc

SHA256
e9c0fbcff9b9396975a04ee9e4536aa515bca1e2419ae310882a596c6c1e57ba

SHA512
984afa55c0cd4b8ae489e95a7e6efc399eda7304e83eadcf304e68f0d82c7a57bc94da44e3283f74341fe2fd8f8750483f815e8cdde8c4db03681789cf989959

Download Submit
memory/2128-4397-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4402-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4398-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4400-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4405-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4404-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4419-0x0000000001480000-0x0000000001497000-memory.dmp

Filesize
92KB

Download
memory/2128-4395-0x000000006B4B0000-0x000000006BBD3000-memory.dmp

Filesize
7.1MB

Download
memory/2128-4396-0x000000006B0D0000-0x000000006B0E0000-memory.dmp

Filesize
64KB

Download
memory/2128-4394-0x000000006EE10000-0x000000007053D000-memory.dmp

Filesize
23.2MB

Download
memory/2128-4382-0x000000006DEC0000-0x000000006E8A7000-memory.dmp

Filesize
9.9MB

Download
memory/2128-4403-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4406-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4399-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2128-4401-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4541-0x0000000001CA0000-0x0000000001CB7000-memory.dmp

Filesize
92KB

Download
memory/2432-4514-0x000000006B4B0000-0x000000006BBD3000-memory.dmp

Filesize
7.1MB

Download
memory/2432-4517-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4518-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4519-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4513-0x000000006D9B0000-0x000000006E397000-memory.dmp

Filesize
9.9MB

Download
memory/2432-4520-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4521-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4522-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4512-0x000000006E3A0000-0x000000006FACD000-memory.dmp

Filesize
23.2MB

Download
memory/2432-4523-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4524-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4525-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2432-4516-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2748-4547-0x000000006B5D0000-0x000000006BCF3000-memory.dmp

Filesize
7.1MB

Download
memory/2748-4545-0x000000006D9B0000-0x000000006E397000-memory.dmp

Filesize
9.9MB

Download
memory/2748-4549-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4463-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4457-0x000000006B4B0000-0x000000006BBD3000-memory.dmp

Filesize
7.1MB

Download
memory/2832-4456-0x000000006E3A0000-0x000000006FACD000-memory.dmp

Filesize
23.2MB

Download
memory/2832-4458-0x000000006D9B0000-0x000000006E397000-memory.dmp

Filesize
9.9MB

Download
memory/2832-4461-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4462-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4464-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4465-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4466-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4467-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4468-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4469-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4470-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/2832-4531-0x0000000003AD0000-0x0000000003AE7000-memory.dmp

Filesize
92KB

Download
memory/4088-4426-0x000000006E3A0000-0x000000006FACD000-memory.dmp

Filesize
23.2MB

Download
memory/4088-4424-0x000000006D9B0000-0x000000006E397000-memory.dmp

Filesize
9.9MB

Download
memory/4088-4428-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4429-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4475-0x0000000002CA0000-0x0000000002CB7000-memory.dmp

Filesize
92KB

Download
memory/4088-4430-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4431-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4432-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4433-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4434-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4435-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4436-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4437-0x000000006B0C0000-0x000000006B0D0000-memory.dmp

Filesize
64KB

Download
memory/4088-4425-0x000000006B4B0000-0x000000006BBD3000-memory.dmp

Filesize
7.1MB

Download