floxif | 183b7497f887be8ec7f11ff64b50947b863c9808d046ede0b96646c6e660085b

Analysis

max time kernel
143s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Size

5.4MB
MD5

bb17eb1049975bae79f611fd25495ea7
SHA1

8dd8e68f87e54ea44319a4e58c7fc88f7bf67f9f
SHA256

183b7497f887be8ec7f11ff64b50947b863c9808d046ede0b96646c6e660085b
SHA512

4b76d8be5666f2629d959f0d5dbcd74b42de7cb2988f60a6573c850e48870886fd93423cfda12eecd88cc3f37de81feed9f3b0ea6ce1d8cd8d391e3105821620
SSDEEP

98304:jGaXxhOCk1LUAAYeyhDhEJ2GYGo9w+08Y9f/LciRZ:jtQCk1oAAYJc2RN9zMP

Score

10^/10

floxif backdoor bootkit discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b0000000122cf-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000122cf-1.dat	acprotect

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 41 IoCs

pid	Process
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
596	ksomisc.exe
1828	ksomisc.exe
1724	ksomisc.exe
2436	wpscloudsvr.exe
2320	ksomisc.exe
2512	ksomisc.exe
868	ksomisc.exe
2548	ksomisc.exe
1904	ksomisc.exe
1880	ksomisc.exe
2596	ksomisc.exe
2052	ksomisc.exe
1568	ksomisc.exe
1320	ksomisc.exe
2440	ksomisc.exe
1088	ksomisc.exe
1308	ksomisc.exe
1732	wps.exe
1720	wps.exe
1468	wps.exe
1624	ksomisc.exe
988	ksomisc.exe
1676	ksomisc.exe
2568	ksomisc.exe
2724	ksomisc.exe
756	ksomisc.exe
1372	ksomisc.exe
2828	ksomisc.exe
3016	wpsupdate.exe
2960	wpscloudsvr.exe
2532	wpsupdate.exe
372	wpscloudsvr.exe
2940	ksomisc.exe
2484	ksomisc.exe
2888	ksomisc.exe
996	ksomisc.exe
1984	ksomisc.exe
1584	ksomisc.exe
2432	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\lnkfile\ShellEx	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
File opened for modification	\??\PhysicalDrive0	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122cf-1.dat	upx
behavioral1/memory/2848-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-12-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-22-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-27-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-31-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-2903-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2848-4098-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/596-4431-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/596-4455-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1828-4463-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-4486-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1828-4514-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2436-4536-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-4539-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2436-4541-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2320-4551-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2320-4576-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2512-4584-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1220-4601-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1220-4603-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1956-4605-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2512-4613-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/868-4623-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/868-4646-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2548-4654-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2548-4683-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1904-4692-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1904-4717-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1880-4745-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2596-4754-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2596-4779-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2052-4789-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2052-4816-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1568-4826-0x00000000005B0000-0x00000000005E0000-memory.dmp	upx
behavioral1/memory/1568-4825-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1568-4848-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1320-4858-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1320-4880-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2440-4893-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2440-4913-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1088-4922-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1088-4941-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1308-4953-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-4971-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1720-4992-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1468-5005-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-5011-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1308-5016-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1624-5061-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/988-5067-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/988-5107-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1676-5117-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1676-5157-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2568-5202-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2724-5225-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2724-5257-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1376-5261-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1376-5263-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/756-5270-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/756-5294-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1372-5307-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1372-5332-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2828-5347-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	wpsupdate.exe
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe.tmp	wpsupdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-20	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C0310-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000C031E-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\ProgID	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{0002448E-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020997-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\MiscStatus	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C031A-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C03C8-0000-0000-C000-000000000046}\ = "SmartArtNode"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{98DFBD12-96CB-4F07-90EA-749FF1D6B89D}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{C04865A3-9F8A-486C-BB58-B4C3E6563136}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{D435BCDA-C17D-472F-B4A0-47AD8F732509}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000244CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000CDB01-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000CDB09-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020915-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{00020883-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\WPS.Docx.6\shell\open\ = "&Open"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.orf	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\ = "TaskPane"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{00024472-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{0002442F-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020885-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\TypeLib\{0002E157-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{EEE00921-E393-11D1-BB03-00C04FB6C4A6}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\WPS.PIC.mrw\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.19307\\office6\\addons\\photo\\photo.dll,12"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C0368-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{55F88890-7708-11D1-ACEB-006008961DA5}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020971-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{6E47678B-A879-4E56-8698-3B7CF169FAD4}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{0002091C-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{00020884-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{0002449F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{396F9073-F9FD-11D3-8EA0-0050049A1A01}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{8BF3A922-7E10-4241-9FD3-654FEDECC52A}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{0002449A-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{0002441D-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000244D9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000C0359-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C0339-0000-0000-C000-000000000046}\ = "COMAddIns"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020962-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000244E6-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C38D886-D07A-4F46-9819-8E22EBCF57E9}\ = "IHtml2PdfSettings"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C172B-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{7A1BCE11-5783-4C7D-BD02-F3D84AB40E7F}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000209C4-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000244C2-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{000208C7-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{0002E16A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000C03D2-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00020985-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000209B8-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{0002097F-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000208B0-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DefaultIcon	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{000209DC-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\ = "ObjectVerbs"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Interface\{00024405-0000-0000-C000-000000000046}\ = "VPageBreaks"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{00020881-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\Interface\{00020992-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wpsupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	ksomisc.exe

Suspicious behavior: AddClipboardFormatListener 34 IoCs

pid	Process
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
596	ksomisc.exe
1828	ksomisc.exe
1724	ksomisc.exe
2320	ksomisc.exe
2512	ksomisc.exe
868	ksomisc.exe
2548	ksomisc.exe
1904	ksomisc.exe
1880	ksomisc.exe
2596	ksomisc.exe
2052	ksomisc.exe
1568	ksomisc.exe
1320	ksomisc.exe
2440	ksomisc.exe
1088	ksomisc.exe
1308	ksomisc.exe
1624	ksomisc.exe
988	ksomisc.exe
1676	ksomisc.exe
2568	ksomisc.exe
2724	ksomisc.exe
756	ksomisc.exe
1372	ksomisc.exe
2828	ksomisc.exe
3016	wpsupdate.exe
2532	wpsupdate.exe
2940	ksomisc.exe
2484	ksomisc.exe
2888	ksomisc.exe
996	ksomisc.exe
1984	ksomisc.exe
1584	ksomisc.exe
2432	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
596	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
2436	wpscloudsvr.exe
2320	ksomisc.exe
2320	ksomisc.exe
2320	ksomisc.exe
2320	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
868	ksomisc.exe
868	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Token: SeDebugPrivilege	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeDebugPrivilege	596	ksomisc.exe
Token: SeDebugPrivilege	596	ksomisc.exe
Token: SeLockMemoryPrivilege	596	ksomisc.exe
Token: SeDebugPrivilege	1828	ksomisc.exe
Token: SeDebugPrivilege	1828	ksomisc.exe
Token: SeLockMemoryPrivilege	1828	ksomisc.exe
Token: SeDebugPrivilege	1724	ksomisc.exe
Token: SeDebugPrivilege	1724	ksomisc.exe
Token: SeLockMemoryPrivilege	1724	ksomisc.exe
Token: SeDebugPrivilege	2436	wpscloudsvr.exe
Token: SeDebugPrivilege	2320	ksomisc.exe
Token: SeDebugPrivilege	2320	ksomisc.exe
Token: SeLockMemoryPrivilege	2320	ksomisc.exe
Token: SeDebugPrivilege	2512	ksomisc.exe
Token: SeDebugPrivilege	2512	ksomisc.exe
Token: SeLockMemoryPrivilege	2512	ksomisc.exe
Token: SeDebugPrivilege	1220	regsvr32.exe
Token: SeDebugPrivilege	1956	regsvr32.exe
Token: SeDebugPrivilege	868	ksomisc.exe
Token: SeDebugPrivilege	868	ksomisc.exe
Token: SeLockMemoryPrivilege	868	ksomisc.exe
Token: SeDebugPrivilege	2548	ksomisc.exe
Token: SeDebugPrivilege	2548	ksomisc.exe
Token: SeLockMemoryPrivilege	2548	ksomisc.exe
Token: SeDebugPrivilege	1904	ksomisc.exe
Token: SeDebugPrivilege	1904	ksomisc.exe
Token: SeLockMemoryPrivilege	1904	ksomisc.exe
Token: SeDebugPrivilege	1880	ksomisc.exe
Token: SeDebugPrivilege	1880	ksomisc.exe
Token: SeLockMemoryPrivilege	1880	ksomisc.exe
Token: SeDebugPrivilege	2596	ksomisc.exe
Token: SeDebugPrivilege	2596	ksomisc.exe
Token: SeLockMemoryPrivilege	2596	ksomisc.exe
Token: SeDebugPrivilege	2052	ksomisc.exe
Token: SeDebugPrivilege	2052	ksomisc.exe
Token: SeLockMemoryPrivilege	2052	ksomisc.exe
Token: SeDebugPrivilege	1568	ksomisc.exe
Token: SeDebugPrivilege	1568	ksomisc.exe
Token: SeLockMemoryPrivilege	1568	ksomisc.exe
Token: SeDebugPrivilege	1320	ksomisc.exe
Token: SeDebugPrivilege	1320	ksomisc.exe
Token: SeLockMemoryPrivilege	1320	ksomisc.exe
Token: SeDebugPrivilege	2440	ksomisc.exe
Token: SeDebugPrivilege	2440	ksomisc.exe
Token: SeLockMemoryPrivilege	2440	ksomisc.exe
Token: SeDebugPrivilege	1088	ksomisc.exe
Token: SeDebugPrivilege	1088	ksomisc.exe
Token: SeLockMemoryPrivilege	1088	ksomisc.exe
Token: SeDebugPrivilege	1308	ksomisc.exe
Token: SeDebugPrivilege	1308	ksomisc.exe
Token: SeLockMemoryPrivilege	1308	ksomisc.exe
Token: SeDebugPrivilege	1732	wps.exe
Token: SeDebugPrivilege	1720	wps.exe
Token: SeDebugPrivilege	1468	wps.exe
Token: SeDebugPrivilege	1624	ksomisc.exe
Token: SeDebugPrivilege	1624	ksomisc.exe
Token: SeLockMemoryPrivilege	1624	ksomisc.exe
Token: SeDebugPrivilege	988	ksomisc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
596	ksomisc.exe
596	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1828	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
1724	ksomisc.exe
2320	ksomisc.exe
2320	ksomisc.exe
2512	ksomisc.exe
2512	ksomisc.exe
868	ksomisc.exe
868	ksomisc.exe
2548	ksomisc.exe
2548	ksomisc.exe
1904	ksomisc.exe
1904	ksomisc.exe
1880	ksomisc.exe
1880	ksomisc.exe
2596	ksomisc.exe
2596	ksomisc.exe
2052	ksomisc.exe
2052	ksomisc.exe
1568	ksomisc.exe
1568	ksomisc.exe
1320	ksomisc.exe
1320	ksomisc.exe
2440	ksomisc.exe
2440	ksomisc.exe
1088	ksomisc.exe
1088	ksomisc.exe
1308	ksomisc.exe
1308	ksomisc.exe
1624	ksomisc.exe
1624	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
1676	ksomisc.exe
1676	ksomisc.exe
2568	ksomisc.exe
2568	ksomisc.exe
2724	ksomisc.exe
2724	ksomisc.exe
756	ksomisc.exe
756	ksomisc.exe
1372	ksomisc.exe
1372	ksomisc.exe
2828	ksomisc.exe
2828	ksomisc.exe
3016	wpsupdate.exe
3016	wpsupdate.exe
2532	wpsupdate.exe
2532	wpsupdate.exe
2940	ksomisc.exe
2940	ksomisc.exe
2484	ksomisc.exe
2484	ksomisc.exe
2888	ksomisc.exe
2888	ksomisc.exe
996	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2848 wrote to memory of 1176	2848	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	33
PID 2980 wrote to memory of 596	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	35
PID 2980 wrote to memory of 596	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	35
PID 2980 wrote to memory of 596	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	35
PID 2980 wrote to memory of 596	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	35
PID 2980 wrote to memory of 1828	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	37
PID 2980 wrote to memory of 1828	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	37
PID 2980 wrote to memory of 1828	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	37
PID 2980 wrote to memory of 1828	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	37
PID 2980 wrote to memory of 1724	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	38
PID 2980 wrote to memory of 1724	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	38
PID 2980 wrote to memory of 1724	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	38
PID 2980 wrote to memory of 1724	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	38
PID 1176 wrote to memory of 2436	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	39
PID 1176 wrote to memory of 2436	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	39
PID 1176 wrote to memory of 2436	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	39
PID 1176 wrote to memory of 2436	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	39
PID 2980 wrote to memory of 2320	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	40
PID 2980 wrote to memory of 2320	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	40
PID 2980 wrote to memory of 2320	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	40
PID 2980 wrote to memory of 2320	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	40
PID 2980 wrote to memory of 2512	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	41
PID 2980 wrote to memory of 2512	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	41
PID 2980 wrote to memory of 2512	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	41
PID 2980 wrote to memory of 2512	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	41
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1220	2512	ksomisc.exe	42
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 2512 wrote to memory of 1956	2512	ksomisc.exe	43
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1956 wrote to memory of 1644	1956	regsvr32.exe	44
PID 1176 wrote to memory of 868	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	45
PID 1176 wrote to memory of 868	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	45
PID 1176 wrote to memory of 868	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	45
PID 1176 wrote to memory of 868	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	45
PID 1176 wrote to memory of 2548	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	46
PID 1176 wrote to memory of 2548	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	46
PID 1176 wrote to memory of 2548	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	46
PID 1176 wrote to memory of 2548	1176	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	46
PID 2980 wrote to memory of 1904	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	48
PID 2980 wrote to memory of 1904	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	48
PID 2980 wrote to memory of 1904	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	48
PID 2980 wrote to memory of 1904	2980	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	48

C:\Users\Admin\AppData\Local\Temp\2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
  "C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regmtfont
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -setappcap
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -assoepub -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1372
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -registerqingshellext 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2828
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2224
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regmso2pdfplugins
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2940
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
        5⤵
        
        PID:1920
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regPreviewHandler
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2484
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -unassopic_setup
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:2432

C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_F77950F -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f779270\
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setlng en_US
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:596
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -getonlineparam 00500.00002086 -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -getabtest -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setservers
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2320
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -register
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:1644
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assoword
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assoexcel
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assopowerpnt
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -compatiblemso -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -checkcompatiblemso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -saveas_mso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1320
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -distsrc 00500.00002086
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -sendinstalldyn 5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -externaltask create -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1308
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" CheckService
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.19307/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=1732 /prv
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:988
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink desktop pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createCustomDestList
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kwpsmenushellext64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:1820
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setup_assopdf -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:756
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe" /from:setup
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3016
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:2960
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe" -createtask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2532
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:372
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:996
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -rebuildicon
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:1984
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

Filesize
980KB

MD5
68c51ab9a67104779d31cfad00e44983

SHA1
cde18472434c8eecd29301c05d7d840ab88b8ad0

SHA256
2289bed62a980b0b43d51ffc3fffb4775299efd3da246f2d08b0a424f9782ce4

SHA512
10cbe785b9246b0ba2cdacc434ded55fcaade011bb319b4b370a5deb8c73898e38351d56b97d066789c36d55968c3b2967ffff4d30919ae943f9f108b532b7d4

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\ksearchpanel\mui\pt_BR\ksearchpanel.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\kstartpage\mui\default\htmlappstore_xa\run.ini

Filesize
171B

MD5
b30cb271e143eace0f55ea2e562e1e9f

SHA1
9d97dbf24931cfc114384c3f4dbbae21c9e51be5

SHA256
3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

SHA512
dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\fr_FR\history.js

Filesize
198KB

MD5
097cc4ae8e8a9ebd05f3a5a2d2695a1a

SHA1
c4d19da1a03e4cd8f33c582f6dc376b32d27ff99

SHA256
5d7f1e834f01b6f1801581cd2e78e5e398186aa454c7264b3201a30d97f2d399

SHA512
b28658945ba733db46702762c1a735673db14f630b14b6a2682f62fa98908ff3739c6c511a1503e51fe83e1b672b8bc76db3be7ec5af355b8e5596193ef4f2ad

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\cfgs\setup.cfg

Filesize
432B

MD5
47ad040fd613b2987769458365b4b24b

SHA1
fd97b3316a2ae44af716359338755db70e6db8eb

SHA256
79b949e67dcad6bfb8b07b764f1e9baeda0bbcba6d0720aa7394df8a5fea364e

SHA512
f2d3b31f16c8d4ef33a0d657117d462bebb9ba90d63c8820df5e2db1a88e33a7451f1a67958d730760b3fcdb10983fde47348aa6363d7844030e7ad8b01c0a96

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
dcfa9c99154a2a80411ef8106c8bd835

SHA1
f7cbc5c1769ee974b01f887c4fa33a947bd7fce8

SHA256
f1b719c1d232362badee5f058047616d9d3a4db0c09ea83b6e1e9eacfde79803

SHA512
dabb12dc81afd921884caac0db9376c79803d2db28950af74ee35847e88ee81997a93513b12a6d0580f7512c8f127923edc9eeeff1aa5b5c3f8d4a65e8ddc2d4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpscenter.exe

Filesize
903KB

MD5
4f31e3853ff551bc89b3ba43ee757bb8

SHA1
c9003aadc277c3433c4a7e4d0803c0ee58d882b1

SHA256
24b525284db95cbb25837af4f6d22ae735100abd895eed2a5c33f3e3e7d74893

SHA512
e245892f65af0e76c838746f275225b631c2656f9818304d8969a7936380704a3e527c672a3e08c90d5cf02212fb08f038251749fb1d3be292638847ec855429

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\utility\install.ini

Filesize
675B

MD5
0bffe1570b0cafc1e62d966ab866fca3

SHA1
355957804dc06b0d1b9164f07db721ecdd68a557

SHA256
da734b32af7e0ed2ffcb20a9c75d89172acb06d4dfdbfa6b4f6610d86f0d1e63

SHA512
dd4fc20b9c94dc5e5bce82851c6e262880ab1ec53a49b40a4da1a38686bde21df9ca862e4bf68e8284b3f085c16f5c0d7f9fea6911734906320067e5d50b6e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4D19.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\product.dat

Filesize
128KB

MD5
354aa892785e306f30856e0b2e7d4546

SHA1
33457f5aa9326e153e7748a58c836cc1ee94973d

SHA256
71da50e92aa3097b516ea7c42718c83fff187b63faa4945ddf62bbcf13dc2897

SHA512
029f3bdfec5027d25dd2f8191795efdd3c761e3c2bffcc235cc38a83fc59e9179f2044691cb6905e6a3ae5c3422430781f2fb49332304851e97455d61b893cef

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
321B

MD5
bb787017b762751487361dca72eb1849

SHA1
efa1b2f3b08c1552f1512286b5449c1bda6e8a17

SHA256
530d5253f279e4f8e2375866910861e3d7598db212075c798fee6a2b86396c2d

SHA512
23463d0b9080ff5851447cf55bb2f5eb438100aba5000b4f6df3762e0391ec9450f06f2e393d811cc8bd06b35f56b6fdd3f122a8f405d30c7d87ad2e4d8344a3

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6AP3NJM6E1KF94FKCW29.temp

Filesize
8KB

MD5
70ec95a6daff6f8b5205cf79d6b913fb

SHA1
5457abe6e7519d239271da83d683d7c9812412ed

SHA256
9178065062cb7a87473e07863eb2db3a2cf137083f6d8b514c597b0cb4404694

SHA512
fd4e2e9edcf043d7e355b17fe40cc9f181dbc22b4789ad845db399f44b30c9c5108382a200908b88a263bafd95c751ead44cf932dde6d1a15059cda34706c13e

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

Filesize
104KB

MD5
65d632e063055d1a328424c493c4decc

SHA1
e0781b436f6dc83032b8045c5018c461e47637a1

SHA256
81d452cf998ff5b138f9b3077c9e2c03c18b3e4b3dc284544c8a9e7b269330d4

SHA512
3a2a90afce6ccc22f4ecaab1f36e790718e6c94b62186be4f51e4de096b52c9895643e8797fc1afe233f5930051626814eff9e502dcc7fd9e3fb02aee89d36c9

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
224B

MD5
d6877dde187e373e04147e1728963fc6

SHA1
5e2c9d36cad48b6dfd70d0bd0e1049a79d6d8f05

SHA256
570330337d8142dcbb6f601e5776180571663555b7e9c613347f90a78c88e406

SHA512
39f3db751a746ec31df0751367dd652fcfb39600250092e510c809ed804ee6a81f6121e98ff234b1a50d33190dcbd1a07b04843e019cb85d03d5086ba8658385

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_12_10.log

Filesize
5KB

MD5
6454a5b46cbb5a6248bbbe4f9b9eedc0

SHA1
68b35fb80b4bb876c3bf9be075116ca8d2220499

SHA256
41a217b5c19cdef5c4f8a1cc348e5fd2e78c0df5e458574522949e02c8f121bd

SHA512
10069cade92e2b46e95aa09ffcacb56397f95c1d0e4345a6b7aa319a7d5997f4826dc08ead789d9c6ecba232d464ae8119721e61e003293bb2721194cacc4b75

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
13KB

MD5
e45164a02af3a3f7f8239b2c01aaff5e

SHA1
c78f48daec407ca0cece64e892725984b3229936

SHA256
b7fa9b15726d2a45eb6917bcbccebfbf37f38489dcd45662b172b7c0bb05cb24

SHA512
8bec830a293a9f7b995e44ade5eff229bd7ab52947fc5c510312b013c920c27211eac71456008d00afd2fe51e4b92282a70a7d9a15fac7a1c8245c0c732766a8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
15KB

MD5
b8730c912ea72398e2c3638b07445cdf

SHA1
21e0c5387d6b97062477817fe7709d876ebca69f

SHA256
204f998b74694880d6e114530bb3e4f331c885e231bc12d971d93c27e48b3898

SHA512
cf59c75ec91df58e6365ec2cb8db4f32eb44740e02c1eb0d13f9aeb8cc65913cf0f8b6bfaaff178f29e82cc9e448d3bfc7aed7a1a85bf6f288c89ada33b9b5c4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
30KB

MD5
0c52afdfbbefd7eac018d2027553a773

SHA1
fa29f0d3236eb92532fecb36baea17336d843c12

SHA256
4e5c23d7702de1cd72b579aff181f3d3c5b8d509cd99a1d206800c361ddfbde1

SHA512
c866c0a6fb5d53595d9c706193be34d6e7e71b17dec07badb73fd759efcab1fe89e0b7da2bba8c94fc7ac5043e30c1f575351e9d39838464a5ff90d25211af9d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
50KB

MD5
66be7313e7c869b5fe1a8c8fc4577a7f

SHA1
9f08c26bff787c16e0cdaa8996b8e118a39cc28c

SHA256
089970eec8dc6d6c7c56b1dd1cdd292922a652781615fda3e952cdc9e5ae3ef0

SHA512
bc3fc065cb1198aa1d8e58a50791aaa1ee277801fd88639265c949bd0576d75c27c4c986894c46bee8ce10e5ab5d351dee603ef7cd44c23b9dd35f97eb645960

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.1MB

MD5
4f87e60cbc3c4a35d67a8d8949ef0745

SHA1
9092fc6af7a9d6e507dd6e5ab48b75ff50226b6c

SHA256
60b0e044d5ce13e248eb9bc05f61c89ae6e5306e770c987b0a817050e996ecc7

SHA512
f238d1e7c3c2274fa56ba1efd8142bf4cf4c744de7233d41a74f35104c91b739e5b18535012b1d7cb685ce83ae14d73244a1851e29160d39bc36f4cfab8e59c5

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
a644ef4dda26ef5cb71d2d394156ff36

SHA1
27f8e4c9c3737e001c3e50d5639c57ed34a8f367

SHA256
6f6806de1af88ff0a8ce725f20b0050ab54d2911663ca872e17a92bf375493d0

SHA512
81795aba1dd451994cd05edd690a5f5a21dffa31bbf4d194d2b44dcad4f73bce24d41443c961e68f9ea22f2571418a7f023e7bc3b93b5ccc5eecf2e2715b3006

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
f5d769a8c7afdae15888e2a27cf9b8f0

SHA1
a3e211c1dc5ca9c858af3db9d885b33ad066b19b

SHA256
c8f473ef26c5279e54512c124c9c900e771273f71a08a9744340009557853822

SHA512
7c037bb81ec5dd01803a67f8f382a339bb466f3f6485ccb298223a5157a0a324803450dba412d11a2e8cb4b7a9fdba6bbafb9590eccc903e083af9f85e5df40c

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
26bcd9a8441d609c66c920e0c7ad2311

SHA1
fd699e45b2fb4e00de0ee5b86275d903972859d4

SHA256
0669c047f517cd5d18d1465c34006de698c21a499e8731f9fe90e6b75d6baeb0

SHA512
210d04a09fffeedcd956fab9db307d7ed7b5b63c563d8ce6e6ca058991a0a1c4c2bf3b04911de99588f1f6f535a9ad1b8bb9655f507720b8c700fca88a580433

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
1a8a76defa374ac2f51eb14acfbcfd0c

SHA1
f36d8da78df79d228795361a3fe2be66153d574b

SHA256
7bed489f580d7756cf8006090503b771dc3c98c05d0f7ef14607f19438e22526

SHA512
e5ca8bb54108452d5d226545389a05e223b9e053bb00e411eb55000b2bb8b24f809e4d836efccf1b7cc1c21106c56e7814b3209798e4c374bedae7d9cb5daf9e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
cd62ebba2f29e53eb2e1ab6400381864

SHA1
47165679081db59a304aadff14f16ceabe55baa3

SHA256
edc44e3e0cdbe2dc29cf76e8172f9fe0e1c341cab8ada4475e708fc7e22a6387

SHA512
1b5cd979a844933990003a3bed50100b5582d9f11cfa3296b9112e223cf372e29d677de4c854fe1ed1b4aeb9f2d77ba76a1f5b43087a92d3cbac407eb34ffc48

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
57d798eed5bb2ed5964e43ca4fc711bd

SHA1
f7a1452e862116f049c3b964602b07a3ed5d96df

SHA256
3df7130ab7eae667c465ec329eec2df382ab57da3432fb1a8808cfd0f31ce695

SHA512
6eb77db1d23b3f16dc34217f6c90305c301b8f2931fc85ff3c036c6889a818416d6eb491474fd33545ee9bdc9d797a0192b41b974c59344510b78ec7afa37adf

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
995335709066b43244e8f35e81b1f41a

SHA1
6a048eae491e2d1112e17e58a8d4512fc9a8845e

SHA256
66ac95183bf4a151c626d9ef11074de026ede30cbcf23ce3848d777fc0de8128

SHA512
0383beb15bf18f5cb967752e154dd35d4a002822a21508c2890190a90a9b4af71a690b67707bcdfc483cfee32a2f791b05fe565c89162461c773284e8dd7ab36

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
23cad07917aabc221334f74e3d03a456

SHA1
2de22774daf4a6333bb5502a3e378e64ff767e9a

SHA256
abe009821766ed074070a56229f66dd9b5dd413dbe67fd19f169f0c092b7d3ae

SHA512
b14f671cde984aa7484ea3dfd993de8af85f86723142f12fd29bfc71ef1226bc528742fe9fa1424a4c4ecaa11e06a7c2b86379caf13566e68cbd36b06e7147e4

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
184a7bf566a1d55d176ffca0e973a6c0

SHA1
c3a596ff6368d92a9c83027d5de3b32411c2b4a5

SHA256
21812845ef2140d30c1427c15c86c13275995bb3f33ecf46f865923c278fca8c

SHA512
d6a226d12faeac6813c9207e227145905bfd518229517c2b8f79eab8e77fde8a7d1d32d65f6e8107612aa507a26794000c8607a5b25aa877bdb789c1514c3a56

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f779270\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
memory/596-4438-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4435-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4454-0x00000000724E0000-0x00000000725FF000-memory.dmp

Filesize
1.1MB

Download
memory/596-4455-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/596-4433-0x0000000000460000-0x0000000000477000-memory.dmp

Filesize
92KB

Download
memory/596-4434-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4436-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4437-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4439-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4440-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4441-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/596-4432-0x000000006CF60000-0x000000006CF70000-memory.dmp

Filesize
64KB

Download
memory/596-4430-0x0000000070260000-0x00000000719AE000-memory.dmp

Filesize
23.3MB

Download
memory/596-4431-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/756-5271-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/756-5294-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/756-5270-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/868-4646-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/868-4623-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/988-5107-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/988-5067-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/988-5068-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/1088-4922-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1088-4923-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/1088-4941-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1176-226-0x0000000000150000-0x0000000000152000-memory.dmp

Filesize
8KB

Download
memory/1176-4109-0x00000000747A0000-0x00000000748BF000-memory.dmp

Filesize
1.1MB

Download
memory/1220-4603-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1220-4601-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1308-4953-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1308-4954-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/1308-5016-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1320-4880-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1320-4858-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1320-4859-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1372-5332-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1372-5308-0x0000000000790000-0x00000000007C0000-memory.dmp

Filesize
192KB

Download
memory/1372-5307-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1372-5333-0x0000000000790000-0x00000000007A7000-memory.dmp

Filesize
92KB

Download
memory/1376-5263-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1376-5261-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1468-4993-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/1468-5005-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1568-4848-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1568-4825-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1568-4826-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/1624-5061-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-5158-0x0000000000960000-0x0000000000977000-memory.dmp

Filesize
92KB

Download
memory/1676-5157-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-5117-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1676-5118-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download
memory/1720-4992-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-4487-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/1724-4490-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4486-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-4497-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4489-0x0000000000720000-0x0000000000737000-memory.dmp

Filesize
92KB

Download
memory/1724-4539-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-4538-0x0000000072470000-0x000000007258F000-memory.dmp

Filesize
1.1MB

Download
memory/1724-4496-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4491-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4492-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4493-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4494-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1724-4495-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1732-4971-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-5011-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-4972-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/1828-4465-0x000000006E420000-0x000000006E430000-memory.dmp

Filesize
64KB

Download
memory/1828-4463-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1828-4514-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1828-4467-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4470-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4513-0x0000000072470000-0x000000007258F000-memory.dmp

Filesize
1.1MB

Download
memory/1828-4474-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4471-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4466-0x0000000000730000-0x0000000000747000-memory.dmp

Filesize
92KB

Download
memory/1828-4462-0x000000006FDE0000-0x000000007152E000-memory.dmp

Filesize
23.3MB

Download
memory/1828-4469-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4472-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4464-0x00000000006A0000-0x00000000006D0000-memory.dmp

Filesize
192KB

Download
memory/1828-4473-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1828-4468-0x000000006E410000-0x000000006E420000-memory.dmp

Filesize
64KB

Download
memory/1880-4745-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1904-4717-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1904-4692-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1904-4693-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/1956-4605-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2052-4789-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2052-4790-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/2052-4816-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2224-5459-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2224-5457-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2320-4562-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4559-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4551-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2320-4553-0x000000006CF60000-0x000000006CF70000-memory.dmp

Filesize
64KB

Download
memory/2320-4575-0x00000000724E0000-0x00000000725FF000-memory.dmp

Filesize
1.1MB

Download
memory/2320-4561-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4560-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4552-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/2320-4558-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4557-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4556-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4555-0x000000006CF50000-0x000000006CF60000-memory.dmp

Filesize
64KB

Download
memory/2320-4554-0x00000000004E0000-0x00000000004F7000-memory.dmp

Filesize
92KB

Download
memory/2320-4576-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2436-4541-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2436-4536-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2440-4913-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2440-4894-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2440-4893-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2512-4613-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2512-4585-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2512-4584-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2532-5442-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/2532-5441-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2532-5453-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-4683-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-4654-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-4655-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/2568-5202-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-4755-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2596-4754-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-4779-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2724-5257-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2724-5226-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2724-5225-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2828-5369-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2828-5348-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/2828-5347-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-26-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-17-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-13-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-4098-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-18-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-21-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-22-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-2902-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-27-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-15-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-16-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-4097-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-12-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-10-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-5-0x0000000001231000-0x0000000001232000-memory.dmp

Filesize
4KB

Download
memory/2848-31-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-23-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/2848-2903-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-30-0x0000000001230000-0x0000000001790000-memory.dmp

Filesize
5.4MB

Download
memory/3016-5434-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3016-5385-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/3016-5384-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download