floxif | 183b7497f887be8ec7f11ff64b50947b863c9808d046ede0b96646c6e660085b

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Size

5.4MB
MD5

bb17eb1049975bae79f611fd25495ea7
SHA1

8dd8e68f87e54ea44319a4e58c7fc88f7bf67f9f
SHA256

183b7497f887be8ec7f11ff64b50947b863c9808d046ede0b96646c6e660085b
SHA512

4b76d8be5666f2629d959f0d5dbcd74b42de7cb2988f60a6573c850e48870886fd93423cfda12eecd88cc3f37de81feed9f3b0ea6ce1d8cd8d391e3105821620
SSDEEP

98304:jGaXxhOCk1LUAAYeyhDhEJ2GYGo9w+08Y9f/LciRZ:jtQCk1oAAYJc2RN9zMP

Score

10^/10

floxif backdoor bootkit discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0009000000023c6b-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023c6b-1.dat	acprotect

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 41 IoCs

pid	Process
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1852	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
4340	wpscloudsvr.exe
3060	ksomisc.exe
2596	ksomisc.exe
5056	ksomisc.exe
1280	ksomisc.exe
100	ksomisc.exe
468	ksomisc.exe
832	ksomisc.exe
2268	ksomisc.exe
1032	ksomisc.exe
4708	ksomisc.exe
2580	ksomisc.exe
4712	ksomisc.exe
4408	ksomisc.exe
3212	wps.exe
4192	wps.exe
832	wps.exe
864	ksomisc.exe
1016	ksomisc.exe
5116	ksomisc.exe
2356	ksomisc.exe
1416	ksomisc.exe
2932	ksomisc.exe
1928	ksomisc.exe
1224	ksomisc.exe
3860	wpsupdate.exe
1412	wpscloudsvr.exe
5056	wpsupdate.exe
3460	wpscloudsvr.exe
1108	ksomisc.exe
1516	ksomisc.exe
3604	ksomisc.exe
3344	ksomisc.exe
4404	ksomisc.exe
3856	ksomisc.exe
4232	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023c6b-1.dat	upx
behavioral2/memory/2360-2-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2360-18-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2360-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2360-27-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4592-43-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/376-227-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2360-509-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4592-1210-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/376-2459-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2360-3807-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4592-3980-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1852-4446-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1852-4471-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/376-4477-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3604-4492-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4592-4475-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1444-4514-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4340-4541-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4340-4543-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3060-4562-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3604-4596-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3060-4601-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2596-4625-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1444-4624-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1716-4633-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1716-4635-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4080-4636-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4080-4638-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2596-4647-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5056-4656-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5056-4681-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1280-4690-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1280-4719-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/100-4741-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/100-4756-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/468-4767-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/468-4792-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/832-4811-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/832-4826-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2268-4835-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2268-4862-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1032-4881-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1032-4894-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4708-4913-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4708-4925-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2580-4944-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2580-4954-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4712-4973-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4712-4982-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4408-5003-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3212-5020-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4192-5034-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/832-5046-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/832-5051-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3212-5057-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4408-5063-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/864-5081-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/864-5111-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1016-5130-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1016-5160-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5116-5180-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5116-5210-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2356-5221-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C0375-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{00020972-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{0002089A-0000-0000-C000-000000000046}\ = "Line"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{0002085B-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000CD900-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00020940-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00020870-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000244A6-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPP.PPT.6\shell\open	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00020913-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00024402-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPS.Docx.6\shell\edit\ = "&Edit"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPS.PIC.x3f\shell	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000208BC-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C0322-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000209D2-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{870421C0-7135-41E8-A915-D9A7B8026394}\TypeLib\Version = "1.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{766FBB6D-7576-4C00-8CE7-C548751812B3}\ = "EtRangeEx"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\KWPP.Presentation.9\shell\edit\ = "&Edit"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000244C6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{0002441B-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPP.PPSM.6\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.19307\\office6\\wps.exe\" /prometheus /wpp \"%1\""	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C03CB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\SystemFileAssociations\.wpt\ShellEx	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{0002094A-0000-0000-C000-000000000046}\ = "Cells"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\ = "ConnectorFormat"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00024484-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{00020885-0000-0000-C000-000000000046}\ = "ScrollBar"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{00020882-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000C036E-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00020935-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{0002E172-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{F60F4E79-55EA-4A66-8457-CEBDD47C9793}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPS.Docm.6\Insertable	ksomisc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\.pptm\WPP.PPTM.6\ShellNew	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C0365-0000-0000-C000-000000000046}\ = "FileDialogFilters"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C033B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\KWPS.Template.9\shell	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000208D9-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ET.Xlt.6\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.19307\\office6\\wpsofficeicon.dll,19"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPS.PIC.jfif\shell\open\command	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000CDB07-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPS.Dotx.6\shell\new\ = "&New"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPP.POTX.6\shell\open\command	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WPP.SLDM.6\Insertable	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\.wbm	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000209A0-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{00024483-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000208D1-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000208D0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C0351-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{0002448D-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{000C170F-0000-0000-C000-000000000046}\ = "IMsoChartTitle"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{0002447D-0000-0000-C000-000000000046}\ = "ListDataFormat"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Word.Application.12\CLSID\ = "{000209FF-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{000C0398-0000-0000-C000-000000000046}\ = "TextFrame2"	ksomisc.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TestSignRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\FlightRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TestSignRoot	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\FlightRoot	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TestSignRoot	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	ksomisc.exe

Suspicious behavior: AddClipboardFormatListener 34 IoCs

pid	Process
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1852	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
3060	ksomisc.exe
2596	ksomisc.exe
5056	ksomisc.exe
1280	ksomisc.exe
100	ksomisc.exe
468	ksomisc.exe
832	ksomisc.exe
2268	ksomisc.exe
1032	ksomisc.exe
4708	ksomisc.exe
2580	ksomisc.exe
4712	ksomisc.exe
4408	ksomisc.exe
864	ksomisc.exe
1016	ksomisc.exe
5116	ksomisc.exe
2356	ksomisc.exe
1416	ksomisc.exe
2932	ksomisc.exe
1928	ksomisc.exe
1224	ksomisc.exe
3860	wpsupdate.exe
5056	wpsupdate.exe
1108	ksomisc.exe
1516	ksomisc.exe
3604	ksomisc.exe
3344	ksomisc.exe
4404	ksomisc.exe
3856	ksomisc.exe
4232	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
1852	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
4340	wpscloudsvr.exe
4340	wpscloudsvr.exe
3060	ksomisc.exe
3060	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
Token: SeDebugPrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeDebugPrivilege	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeDebugPrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeRestorePrivilege	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
Token: SeDebugPrivilege	1852	ksomisc.exe
Token: SeDebugPrivilege	1852	ksomisc.exe
Token: SeLockMemoryPrivilege	1852	ksomisc.exe
Token: SeDebugPrivilege	3604	ksomisc.exe
Token: SeDebugPrivilege	3604	ksomisc.exe
Token: SeDebugPrivilege	1444	ksomisc.exe
Token: SeDebugPrivilege	1444	ksomisc.exe
Token: SeDebugPrivilege	4340	wpscloudsvr.exe
Token: SeLockMemoryPrivilege	3604	ksomisc.exe
Token: SeLockMemoryPrivilege	1444	ksomisc.exe
Token: SeDebugPrivilege	3060	ksomisc.exe
Token: SeDebugPrivilege	3060	ksomisc.exe
Token: SeLockMemoryPrivilege	3060	ksomisc.exe
Token: SeDebugPrivilege	2596	ksomisc.exe
Token: SeDebugPrivilege	2596	ksomisc.exe
Token: SeLockMemoryPrivilege	2596	ksomisc.exe
Token: SeDebugPrivilege	1716	regsvr32.exe
Token: SeDebugPrivilege	4080	regsvr32.exe
Token: SeDebugPrivilege	5056	ksomisc.exe
Token: SeDebugPrivilege	5056	ksomisc.exe
Token: SeLockMemoryPrivilege	5056	ksomisc.exe
Token: SeDebugPrivilege	1280	ksomisc.exe
Token: SeDebugPrivilege	1280	ksomisc.exe
Token: SeLockMemoryPrivilege	1280	ksomisc.exe
Token: SeDebugPrivilege	100	ksomisc.exe
Token: SeDebugPrivilege	100	ksomisc.exe
Token: SeLockMemoryPrivilege	100	ksomisc.exe
Token: SeDebugPrivilege	468	ksomisc.exe
Token: SeDebugPrivilege	468	ksomisc.exe
Token: SeLockMemoryPrivilege	468	ksomisc.exe
Token: SeDebugPrivilege	832	ksomisc.exe
Token: SeDebugPrivilege	832	ksomisc.exe
Token: SeLockMemoryPrivilege	832	ksomisc.exe
Token: SeDebugPrivilege	2268	ksomisc.exe
Token: SeDebugPrivilege	2268	ksomisc.exe
Token: SeLockMemoryPrivilege	2268	ksomisc.exe
Token: SeDebugPrivilege	1032	ksomisc.exe
Token: SeDebugPrivilege	1032	ksomisc.exe
Token: SeLockMemoryPrivilege	1032	ksomisc.exe
Token: SeDebugPrivilege	4708	ksomisc.exe
Token: SeDebugPrivilege	4708	ksomisc.exe
Token: SeLockMemoryPrivilege	4708	ksomisc.exe
Token: SeDebugPrivilege	2580	ksomisc.exe
Token: SeDebugPrivilege	2580	ksomisc.exe
Token: SeLockMemoryPrivilege	2580	ksomisc.exe
Token: SeDebugPrivilege	4712	ksomisc.exe
Token: SeDebugPrivilege	4712	ksomisc.exe
Token: SeLockMemoryPrivilege	4712	ksomisc.exe
Token: SeDebugPrivilege	4408	ksomisc.exe
Token: SeDebugPrivilege	4408	ksomisc.exe
Token: SeLockMemoryPrivilege	4408	ksomisc.exe
Token: SeDebugPrivilege	3212	wps.exe
Token: SeDebugPrivilege	832	wps.exe
Token: SeDebugPrivilege	864	ksomisc.exe
Token: SeDebugPrivilege	864	ksomisc.exe
Token: SeLockMemoryPrivilege	864	ksomisc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
1852	ksomisc.exe
1852	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
3604	ksomisc.exe
1444	ksomisc.exe
1444	ksomisc.exe
3604	ksomisc.exe
3060	ksomisc.exe
3060	ksomisc.exe
2596	ksomisc.exe
2596	ksomisc.exe
5056	ksomisc.exe
5056	ksomisc.exe
1280	ksomisc.exe
1280	ksomisc.exe
100	ksomisc.exe
100	ksomisc.exe
100	ksomisc.exe
100	ksomisc.exe
468	ksomisc.exe
468	ksomisc.exe
468	ksomisc.exe
468	ksomisc.exe
832	ksomisc.exe
832	ksomisc.exe
832	ksomisc.exe
832	ksomisc.exe
2268	ksomisc.exe
2268	ksomisc.exe
1032	ksomisc.exe
1032	ksomisc.exe
4708	ksomisc.exe
4708	ksomisc.exe
2580	ksomisc.exe
2580	ksomisc.exe
4712	ksomisc.exe
4712	ksomisc.exe
4408	ksomisc.exe
4408	ksomisc.exe
864	ksomisc.exe
864	ksomisc.exe
1016	ksomisc.exe
1016	ksomisc.exe
5116	ksomisc.exe
5116	ksomisc.exe
2356	ksomisc.exe
2356	ksomisc.exe
1416	ksomisc.exe
1416	ksomisc.exe
2932	ksomisc.exe
2932	ksomisc.exe
1928	ksomisc.exe
1928	ksomisc.exe
1224	ksomisc.exe
1224	ksomisc.exe
3860	wpsupdate.exe
3860	wpsupdate.exe
5056	wpsupdate.exe
5056	wpsupdate.exe
1108	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4592	2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	89
PID 2360 wrote to memory of 4592	2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	89
PID 2360 wrote to memory of 4592	2360	2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe	89
PID 376 wrote to memory of 1852	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	94
PID 376 wrote to memory of 1852	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	94
PID 376 wrote to memory of 1852	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	94
PID 376 wrote to memory of 3604	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	95
PID 376 wrote to memory of 3604	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	95
PID 376 wrote to memory of 3604	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	95
PID 376 wrote to memory of 1444	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	96
PID 376 wrote to memory of 1444	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	96
PID 376 wrote to memory of 1444	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	96
PID 4592 wrote to memory of 4340	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	97
PID 4592 wrote to memory of 4340	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	97
PID 4592 wrote to memory of 4340	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	97
PID 376 wrote to memory of 3060	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	98
PID 376 wrote to memory of 3060	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	98
PID 376 wrote to memory of 3060	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	98
PID 376 wrote to memory of 2596	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	99
PID 376 wrote to memory of 2596	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	99
PID 376 wrote to memory of 2596	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	99
PID 2596 wrote to memory of 1716	2596	ksomisc.exe	100
PID 2596 wrote to memory of 1716	2596	ksomisc.exe	100
PID 2596 wrote to memory of 1716	2596	ksomisc.exe	100
PID 2596 wrote to memory of 4080	2596	ksomisc.exe	101
PID 2596 wrote to memory of 4080	2596	ksomisc.exe	101
PID 2596 wrote to memory of 4080	2596	ksomisc.exe	101
PID 4080 wrote to memory of 1420	4080	regsvr32.exe	102
PID 4080 wrote to memory of 1420	4080	regsvr32.exe	102
PID 4592 wrote to memory of 5056	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	103
PID 4592 wrote to memory of 5056	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	103
PID 4592 wrote to memory of 5056	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	103
PID 4592 wrote to memory of 1280	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	104
PID 4592 wrote to memory of 1280	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	104
PID 4592 wrote to memory of 1280	4592	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	104
PID 376 wrote to memory of 100	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	105
PID 376 wrote to memory of 100	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	105
PID 376 wrote to memory of 100	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	105
PID 376 wrote to memory of 468	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	106
PID 376 wrote to memory of 468	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	106
PID 376 wrote to memory of 468	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	106
PID 376 wrote to memory of 832	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	116
PID 376 wrote to memory of 832	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	116
PID 376 wrote to memory of 832	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	116
PID 376 wrote to memory of 2268	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	108
PID 376 wrote to memory of 2268	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	108
PID 376 wrote to memory of 2268	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	108
PID 376 wrote to memory of 1032	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	109
PID 376 wrote to memory of 1032	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	109
PID 376 wrote to memory of 1032	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	109
PID 376 wrote to memory of 4708	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	110
PID 376 wrote to memory of 4708	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	110
PID 376 wrote to memory of 4708	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	110
PID 376 wrote to memory of 2580	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	111
PID 376 wrote to memory of 2580	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	111
PID 376 wrote to memory of 2580	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	111
PID 376 wrote to memory of 4712	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	112
PID 376 wrote to memory of 4712	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	112
PID 376 wrote to memory of 4712	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	112
PID 376 wrote to memory of 4408	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	113
PID 376 wrote to memory of 4408	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	113
PID 376 wrote to memory of 4408	376	29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe	113
PID 4408 wrote to memory of 3212	4408	ksomisc.exe	114
PID 4408 wrote to memory of 3212	4408	ksomisc.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_bb17eb1049975bae79f611fd25495ea7_avoslocker_floxif_hijackloader_luca-stealer_magniber_revil.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
  "C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regmtfont
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -setappcap
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1280
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -assoepub -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1928
  - - C:\Windows\SysWOW64\openwith.exe
      "C:\Windows\SysWOW64\openwith.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
  - - C:\Windows\SysWOW64\openwith.exe
      "C:\Windows\SysWOW64\openwith.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4308
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -registerqingshellext 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regmso2pdfplugins
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1108
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
        5⤵
        
        PID:3760
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -regPreviewHandler
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:1516
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -unassopic_setup
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    PID:3604
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:4232

C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\29368139f1709fe83757f8d2d53918f6-15_setup_XA_mui_Free.exe.500.2086.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_E582B51 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e582882\
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setlng en_US
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -getonlineparam 00500.00002086 -forceperusermode
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3604
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -getabtest -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setservers
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -register
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:1420
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assoword
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:100
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assoexcel
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -assopowerpnt
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:832
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -compatiblemso -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -checkcompatiblemso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -saveas_mso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4708
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -distsrc 00500.00002086
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -sendinstalldyn 5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -externaltask create -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" CheckService
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4192
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.19307/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3212 /prv
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:832
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:864
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1016
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink desktop pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5116
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createCustomDestList
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kwpsmenushellext64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:2024
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -setup_assopdf -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2932
- - C:\Windows\SysWOW64\openwith.exe
    "C:\Windows\SysWOW64\openwith.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe" /from:setup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3860
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1412
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpsupdate.exe" -createtask
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5056
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3460
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:3344
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -rebuildicon
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:4404
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
8185e441fc71deb5d68a183870e9befc

SHA1
a3f1b0f212c07faf9487ecae3874ec03a3f50bfa

SHA256
bf6cfbcfd76b1e13b20ffd9aa4397a8f4b3d851e85fa2dd5e5ca098259e2486a

SHA512
dbe62682a6cd6b3510c37ed3f680e6f7dafaa2816327bf509587a81f43a5e7e7ee5cb4576188469378a80c656a9c116bc61c399245e2e5c1af764e1e21348676

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\ksearchpanel\mui\pt_BR\ksearchpanel.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\kstartpage\mui\default\htmlappstore_xa\run.ini

Filesize
171B

MD5
b30cb271e143eace0f55ea2e562e1e9f

SHA1
9d97dbf24931cfc114384c3f4dbbae21c9e51be5

SHA256
3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

SHA512
dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\fr_FR\history.js

Filesize
198KB

MD5
097cc4ae8e8a9ebd05f3a5a2d2695a1a

SHA1
c4d19da1a03e4cd8f33c582f6dc376b32d27ff99

SHA256
5d7f1e834f01b6f1801581cd2e78e5e398186aa454c7264b3201a30d97f2d399

SHA512
b28658945ba733db46702762c1a735673db14f630b14b6a2682f62fa98908ff3739c6c511a1503e51fe83e1b672b8bc76db3be7ec5af355b8e5596193ef4f2ad

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\cfgs\setup.cfg

Filesize
432B

MD5
47ad040fd613b2987769458365b4b24b

SHA1
fd97b3316a2ae44af716359338755db70e6db8eb

SHA256
79b949e67dcad6bfb8b07b764f1e9baeda0bbcba6d0720aa7394df8a5fea364e

SHA512
f2d3b31f16c8d4ef33a0d657117d462bebb9ba90d63c8820df5e2db1a88e33a7451f1a67958d730760b3fcdb10983fde47348aa6363d7844030e7ad8b01c0a96

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\kshell.dll

Filesize
23.2MB

MD5
16ce422e2c21fdcf1089140112848840

SHA1
1ee1f02a97497a2f8a2399074e189d2e3b4c9eba

SHA256
472dc5c26ff49a6452d33a5106829b12adc4a0457b3ecfea659e385a14c4a1f4

SHA512
2faadc4cb60191e8a27c45abf1878b3a048ea87bd20fda801664b38bcb1c5a28090afcfb556abc68e94d64a515d1c60bf13832dae70e38bc97c05edacb4fc716

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksolite.dll

Filesize
10.1MB

MD5
545b9e2bd75ab9dd5e04c2ed4e09c4c7

SHA1
4ed64bd6f44c4d6ade16d1861940eb898a2aaa80

SHA256
f3e5773ed0233f52be847b4987e38ba23bb0d148b62c437ecedb385fe276aa8f

SHA512
a5d767e112e1fc43b5fd68f69f611128fcfab15fef11c0662297c9954830e5686ffd6b7b026dbd06d923367e53fbbb6d71ee47e23c807e6ac0659e8abdfea8cf

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\ksomisc.exe

Filesize
3.1MB

MD5
7194937a328c56e4cf44794200f10111

SHA1
4a6c1e04e0e0f183a7ab33a95588ab8cd4f06cb9

SHA256
730817c2fbc96b4cca95ed88507b053b82f8664e2fa3c4366fc70fee89a5a552

SHA512
9ab88568a69fa1f1ce89d3bcd9dcd4794478f0628bc2c7a265d1057664a3a8f5f663d88283c65be7f77edaba62653a6b8c6f7a2e67ccf556612f62fab5a1dfd9

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
dcfa9c99154a2a80411ef8106c8bd835

SHA1
f7cbc5c1769ee974b01f887c4fa33a947bd7fce8

SHA256
f1b719c1d232362badee5f058047616d9d3a4db0c09ea83b6e1e9eacfde79803

SHA512
dabb12dc81afd921884caac0db9376c79803d2db28950af74ee35847e88ee81997a93513b12a6d0580f7512c8f127923edc9eeeff1aa5b5c3f8d4a65e8ddc2d4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\office6\wpscloudsvr.exe

Filesize
903KB

MD5
4f31e3853ff551bc89b3ba43ee757bb8

SHA1
c9003aadc277c3433c4a7e4d0803c0ee58d882b1

SHA256
24b525284db95cbb25837af4f6d22ae735100abd895eed2a5c33f3e3e7d74893

SHA512
e245892f65af0e76c838746f275225b631c2656f9818304d8969a7936380704a3e527c672a3e08c90d5cf02212fb08f038251749fb1d3be292638847ec855429

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.19307\utility\install.ini

Filesize
675B

MD5
0bffe1570b0cafc1e62d966ab866fca3

SHA1
355957804dc06b0d1b9164f07db721ecdd68a557

SHA256
da734b32af7e0ed2ffcb20a9c75d89172acb06d4dfdbfa6b4f6610d86f0d1e63

SHA512
dd4fc20b9c94dc5e5bce82851c6e262880ab1ec53a49b40a4da1a38686bde21df9ca862e4bf68e8284b3f085c16f5c0d7f9fea6911734906320067e5d50b6e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\API-MS-Win-core-xstate-l2-1-0.dll

Filesize
10KB

MD5
b74d06f62cd28683b35052715273f70f

SHA1
28f0ff95c64faa31eafdc4e5e95cd7dbeb54ca22

SHA256
144eb756de343fcb063034e9708cded52fe7f83ac3c94244a8de9baf95fe954a

SHA512
fd20a4342d365396c950b7a1c1b9672b4151fc1097af3abff6af9e0723f8bfb0628ac8cf3cdbae466fcb78ad5520ce5ef7a76d76a86f889dfa98b9a4d2fc032d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.1MB

MD5
4f87e60cbc3c4a35d67a8d8949ef0745

SHA1
9092fc6af7a9d6e507dd6e5ab48b75ff50226b6c

SHA256
60b0e044d5ce13e248eb9bc05f61c89ae6e5306e770c987b0a817050e996ecc7

SHA512
f238d1e7c3c2274fa56ba1efd8142bf4cf4c744de7233d41a74f35104c91b739e5b18535012b1d7cb685ce83ae14d73244a1851e29160d39bc36f4cfab8e59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
a644ef4dda26ef5cb71d2d394156ff36

SHA1
27f8e4c9c3737e001c3e50d5639c57ed34a8f367

SHA256
6f6806de1af88ff0a8ce725f20b0050ab54d2911663ca872e17a92bf375493d0

SHA512
81795aba1dd451994cd05edd690a5f5a21dffa31bbf4d194d2b44dcad4f73bce24d41443c961e68f9ea22f2571418a7f023e7bc3b93b5ccc5eecf2e2715b3006

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
f5d769a8c7afdae15888e2a27cf9b8f0

SHA1
a3e211c1dc5ca9c858af3db9d885b33ad066b19b

SHA256
c8f473ef26c5279e54512c124c9c900e771273f71a08a9744340009557853822

SHA512
7c037bb81ec5dd01803a67f8f382a339bb466f3f6485ccb298223a5157a0a324803450dba412d11a2e8cb4b7a9fdba6bbafb9590eccc903e083af9f85e5df40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
26bcd9a8441d609c66c920e0c7ad2311

SHA1
fd699e45b2fb4e00de0ee5b86275d903972859d4

SHA256
0669c047f517cd5d18d1465c34006de698c21a499e8731f9fe90e6b75d6baeb0

SHA512
210d04a09fffeedcd956fab9db307d7ed7b5b63c563d8ce6e6ca058991a0a1c4c2bf3b04911de99588f1f6f535a9ad1b8bb9655f507720b8c700fca88a580433

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
1a8a76defa374ac2f51eb14acfbcfd0c

SHA1
f36d8da78df79d228795361a3fe2be66153d574b

SHA256
7bed489f580d7756cf8006090503b771dc3c98c05d0f7ef14607f19438e22526

SHA512
e5ca8bb54108452d5d226545389a05e223b9e053bb00e411eb55000b2bb8b24f809e4d836efccf1b7cc1c21106c56e7814b3209798e4c374bedae7d9cb5daf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
b951011ba021c374455e8d1e18af84d2

SHA1
2d2e5e097ba5d92e6977cbb23afcc60b2e1d1c8c

SHA256
1c057286bdf0cb90f7dd1fecf5e8afbcff1e27f2a94612967c0634ae639ca43d

SHA512
bc7007ea97647b53a62561c7eafdc292478e2d1dd9cad9f84a3641eba5a57184274fd992f08a18c7f9afa82d5c37a15b6058f147e88623d5d0f5b962931b3850

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll

Filesize
11KB

MD5
c26d7d913fd245afc0f0d658595447dc

SHA1
b5e00a0516b6c8c6f6a51ea40fae1beba3dd49ba

SHA256
73e4264dd66696163fbbf868729841f2e9b86f5a59912e64fb9718a8c889a7aa

SHA512
f7e22751671ef8f5d9768cb96733377cd5f38cdf241503234f69c4c6ac9348416c1a7622d7008fc1323a8673359db9e0bef29a4fec7853c5b5fe0b94e294471a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll

Filesize
10KB

MD5
7435c7831c7b3b47e55701e5c6cca67a

SHA1
8e0fcc170f5d66beea796b38cd544a045375204b

SHA256
7ea1c2902a47fcd4a30180a4fe5ba5800fcad76b63da5ca4494e24954cea9bd3

SHA512
453fde0df6bf8867dac38e1dd155300a4fb3ab88a20de3420f14ce2c05d890459b767671b23d21422c49ff1aebb9ea84b47bee0e2b2305a7af1314393de28267

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-debug-l1-1-0.dll

Filesize
10KB

MD5
d05f970cf2bdb0da0a1bf33cbc36b53d

SHA1
505b7e21e237d7f8c454bdfb37b19932ae6980d3

SHA256
273516d86d92975ba14f0f85bdce5b81f75f8ba76e08e33575c67f34d7236775

SHA512
62b843ea200fee7868482de417048458c304a218ccacf44b70e0026bafc5e37aec4e7ad2c93513cfdbaa06e5ced7a826fa4701d27d6fb9eb81f183335fa182d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
7f3c75a78482e1ea21cdd81055b3135f

SHA1
e0fa94d72626531aa971c3f1385f03ded6bde6a0

SHA256
50347ffd660720cb1f41691be2793d00b169c864f7260dba1966a8ce5c9da943

SHA512
925ee75ea5261de55d50e0c72de891833e20975b06cf9a1712385c077fef4548639d629354969cc8d18bc7664b6b3e03ffd11d08965e2fc94b3a11d3de6cf839

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-handle-l1-1-0.dll

Filesize
10KB

MD5
d65ef6902015757c4b5e2b550c233e1d

SHA1
8b3a44beceb81727071337a9c9e7d0f3b1370455

SHA256
9f2c87a8f541fd2e563778208c51f1e1852d4874571b6c5218066c0d58f9539c

SHA512
01dc60cf2d8f902848a4234cb97b12329d813f836786407ee090083a9fa6750df7f6b4db6d3496a873fc352bba4edf109ea6d5811d124075d8f3d21008c96773

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
2f68cbb35c4c8e66c7d1a8b6c2079700

SHA1
2acb3bdfb7209323d586866e276e152d540d5ae3

SHA256
96509b560bc604a30af26e08d6181d24dde1d51bf3654a12cd663a4ba1a11eac

SHA512
d5886e85abb2b2b4dd0d632e56d7f056f58374b774769bc83dc84f734827fc87b91d85f609f6faae3e3c10703716b31d775ca7f5819a1f719a355a154a8cc1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
ed6d551457d8a41b48bf017b79765e27

SHA1
fa1609389caea2192f37017a23ec66e0c7f21d65

SHA256
7733252eb66a1f3ce0efc5c375fadd6fa20a596324658c72d4e707f67909a433

SHA512
a0fb6d1420c9a74266c368f246af06c173379c78f0ac6eb676aa95f5c41e9b12f52fc32ec79c89d1cf4ea67c0a8d092d0ca3caba651188598a52b1a2ff2f4c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
10KB

MD5
d8873df4158c5d449f13fd32442f10f5

SHA1
52c9bf4137e466124eab9aa639671795d05125f1

SHA256
04532aed545a391a9e95d6103a816ec5d26df14af51f51dd0c649ddd57862e5c

SHA512
e52876ca557755f50bdd3f9adf124a6a562798a725480238f747348c9f81539903f8a19eeb00a61e50f5fde6e7acc8e613b4ba94cc0d8facc2a91f98078997d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
11KB

MD5
0a34f6f91287218a1d451999957701b3

SHA1
05727b747b29845e025d2efde0e43ee36927439e

SHA256
ed755e302cc2a9f5d3cc38140a90697c6bb24965acc6cdaddb63e95c3d2cb9bd

SHA512
24d69f006cdfb91182e3cf9d917dad90353c5824cb19a00a9c4dc9feff0a279a32750a83774a5fe4f5e863386e23efb96a0b54a82c551f28822c6df410eebed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
1672a33674cbaf42b3eec20d52930bd9

SHA1
f6e3da76e7de8a0d5f2e254b080ba973c92ba817

SHA256
a99b485112b305623ec3c8ea0d4c9acfac0c5c66821d4a98cde7b43edb8b78fc

SHA512
7b405243d474706c192e3e3b67ff61412adf41ea3bbbdcd5281aab2e7bed01c0c83a09fe60c0a0274d176a3aeb54dc0406dd044e002b8a447503c6dceb34d237

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
10KB

MD5
83cad14da9e92a8baf84a9afe2c9a5b0

SHA1
14c89f2ade657eb9249b95f9290fb4284908c9c6

SHA256
a45a7143971e7f8bbe4d5667927e3ba0fe5d0c025ef5d776ff8a5826341a99cf

SHA512
a5e93d77555e65bff5d47b2d6e9f7668cc6353a815cb1b11eaa6910594d53a9a2a538b8fe6b89cc2589f0dee321215039c012637809fc513b39fb902c02fdb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-string-l1-1-0.dll

Filesize
10KB

MD5
990cba52bd41c096c79778188dd63a15

SHA1
4a902cf7e4500c736ab4830e762cc1e18bb224ec

SHA256
0c1cbbb4630d38632ed6a5bae9ba7e06fe19433f2a5bd548f3d73f315359d79e

SHA512
1ed847989d02ef2c57edbd4726d818ea4bd811a255873765dd6090b9f8b204dff3610e887979ff8016c9b40bdcd2eab39ed064bb0f5f4447a94d56ab24e5183e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
eb6f7af7eed6aa9ab03495b62fd3563f

SHA1
5a60eebe67ed90f3171970f8339e1404ca1bb311

SHA256
148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02

SHA512
a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
11KB

MD5
d4359815e2a7f10b4dd3ec3945eed45a

SHA1
4c83bd868c963c3afa29d92f75d185ad612c9b11

SHA256
328dff5738e59b78e2951920efcc69e97548c8081f4714540b4e723443b8feb4

SHA512
09ac1040e0a9edd8562c4b76430c82cc25ca94634a9c632803d8bc8eec6ac34d9ad5fb6509416bcd970accb6dce27730bcfeb1ce29d0920c84cc2daf5102d627

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-core-util-l1-1-0.dll

Filesize
10KB

MD5
e0727785f827d39eb167749227a316ed

SHA1
c063a309aeff016f0a7d728c44fe169ce6da12c5

SHA256
e4e4e55abf599d1a9ef7b95da0d7fd37f23a6cf1d368a77f88390eb2e0c1340d

SHA512
83c2bc0f3049b619bf39a8cd6b5fa1ee1346ada2075e7495f264360a62f6fe7ddaafb382b60dfc18857c981c584c750a0b07c1d5d81410a80c296fa1b276ad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
a76584c4923b1be911d9ece4ea439116

SHA1
e025b0afc3b9a8046f83e5df718bac4ad05c9c2c

SHA256
3181c520d7ab831c8ff330afe15ad717a5a1ed85b5d91b50b838be1e5c96d052

SHA512
9e701066b81979318f41ac54ef4e1faf7a5e4cfa7482e61a60717fde10bba0851bf86f446f53a8bb26a1df95405cba0969648435fff3368bf9c2fec9ffc333be

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
18KB

MD5
cce453c53f6dac9496bfa5415cc92731

SHA1
18fee669be0aa8a1839a75a167980f3f246c93a4

SHA256
50752719a62627e7a8d2c26970fe59af839692d060c009fd0652325362752659

SHA512
2cfe07c602c2e6205a2a2aa0de4ca8e105c9973d14b9d131a6372ba54697d17af7c84c898329425a3d19fd6c1434bcaf162ca0dbc5f0d20cb5973c63aee6b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-private-l1-1-0.dll

Filesize
64KB

MD5
1f72bfe2fb7bb2a403efda6ee963d259

SHA1
bcfb984771542970488bd6132dfa2746267b7fbc

SHA256
601ccd84d252fc6e024b1319902e48cf98bb922bf7799384a85640d5ce6f4a16

SHA512
e47c4c7a939d8e1022b6ce41ca15b1e3e4028f3bb302d1836bbdb3ec8d0c0141dd79ff147e6dc7fe56e09ab65dd15385362ea190d8792173674660a33acd5d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
108433c271995786a8289afd611ea28c

SHA1
ba58c577311e39ff7e92a6be0dd6b80abfee6edc

SHA256
4c058e5b8f83ce395a7004d8c4043735526de01c5764242d4ce4f683dcf1425c

SHA512
800bd7a8702905fd9be83f17087440228f1428237d202160a5618aa6cfe1d1aad3c2608f324db38d235348bd2c8682f55d8ff52d13f9c37fa7c32d64a967db77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\concrt140.dll

Filesize
238KB

MD5
4cc02ba9d10b18be0a02e3555aa78a98

SHA1
d1f63d5aa58b0b7ea1925dd3447861b3faf8cd8e

SHA256
1cddacbfb0c61652fcd543fef1e72cf649e27f3ee8f0d1c0d3988c0b5093e74e

SHA512
9d345573ec7a55aa06414cdd5b23e9085d016f4e9eec10581f93109c12e51603f39b01ce5539f8b1d16086e92b94baba05ebe45e9556c96a6b439c97cb82dc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
56d017aef6a7c74cd136f2390b8ea6d3

SHA1
46cc837c64abe4e757e66a24ece56e3f975e9ef6

SHA256
900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

SHA512
7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\extensibility.dll

Filesize
10KB

MD5
c6133749ba22cf955b526d9bb3911f09

SHA1
dc61798a22b3e6a9dfc66782a1020107eac0a9b5

SHA256
39e9af87ed0eae0fa0c520088d7edc3e1edd3889f109ef1220467ffa0e425e36

SHA512
b17b0e23e0dd52e6ac778f27916367199290fe7e25e6e2b444491e39a65b5dc3906d87037c1e6c73c35e6fd9e6302f5346a35fd2f280f4b8f31683ab46ab95bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\gdiplus.dll

Filesize
1.4MB

MD5
31b9fc652711265760068b421aaabd52

SHA1
ac6e6b4f16b706083f74d2294ea7fdc631ee8b0d

SHA256
66732f097fe39d370410d85aec9a86f373638e7cac46473da799e9e666fc6c8b

SHA512
58d8a4bfc8d60882e84a4c8270645623d2256c4a354d1db22791c2e98c3ada2a90bdb576f7ecdb0df5c420b13aa51ce6e728f24b941846e27de101b59e563cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
cd62ebba2f29e53eb2e1ab6400381864

SHA1
47165679081db59a304aadff14f16ceabe55baa3

SHA256
edc44e3e0cdbe2dc29cf76e8172f9fe0e1c341cab8ada4475e708fc7e22a6387

SHA512
1b5cd979a844933990003a3bed50100b5582d9f11cfa3296b9112e223cf372e29d677de4c854fe1ed1b4aeb9f2d77ba76a1f5b43087a92d3cbac407eb34ffc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm

Filesize
8KB

MD5
f52456f3e71a3c50b7f974279c276de9

SHA1
c37faf95f4e0a9cd203770b9d82103c538511384

SHA256
2925b8a77adbf7dde1d608f3eb52fa235490eabbd5d418c8899f37b03b1ea7e1

SHA512
07dc0fb69d66bc351391fcebb82d49a07e6f2d74df4fe84d45de63b5d6a86571be746ad6cc0195bc50d8e21869e2d7bd3509de549fade1416d6638a00e2b8d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\msaddndr.dll

Filesize
96KB

MD5
0febe1efb25daac6f6f301b6e341dff4

SHA1
3d356f13e2363bdee48c817e31575019d2eff335

SHA256
561c909f76faedfd010fc049faa503e249f00cab16d6b57bff0fa74604345731

SHA512
a81b66160a4d1205d400107b213841d19c21369836e5e285aff369e717f96a51952d0eea99d0cdd26179253133a0004a69a345d1cd10a85d203573a7a3101e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\msvcp140_1.dll

Filesize
21KB

MD5
4c3501beb23e601cef5337a47289cb34

SHA1
a39b0f789e3fa8be545ba5b62f537d611d68e11c

SHA256
4e94f9c89188fba7cae4bde37cf824d654717731559d47985d2b0749cfb11aa6

SHA512
336c54f5c9fd537f1c870a02bd41a39074b85723e1c8c9cb56d80d0356a0df030e67b5e6f61a9e5d267b0db26a4fba7774cfa8e3ee061a709cebfc71d2c14bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\msvcp140_2.dll

Filesize
163KB

MD5
d11eb12bf225dcad9219c5938d97c6df

SHA1
fee3132cfa6ea6b9a5d3e3bdcc90050e4b2fcbd8

SHA256
94a12bedb9a25393dc75fccde7243d5e90acf40b1f14406132a44ff42e220f2e

SHA512
8749aceb55f92c3e92862bd07a83fb999cd7db15a5cee7ddd468ffc42be8df8e8b7b32b82fcd73d2c17c64d9f760ce32c76b70f378d5430b67cef39104c3be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\msvcp140_codecvt_ids.dll

Filesize
19KB

MD5
a8fc72d7ffaa5fbaafa754a4db378b8e

SHA1
76ff351f692637e456eb988d4609792fe44b152f

SHA256
74ee4398ae24c1b787af944d650aa345ba0e9787cd112542d782b714209e35cc

SHA512
244a0fd1d08dcc17a17c99375d52e1ab47736dc6909f039ca9d62c28dbb91e7c128c9dc5c12daafea6741fed3c58a4ebcb591203a65442ee28f92b6f2387d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
57d798eed5bb2ed5964e43ca4fc711bd

SHA1
f7a1452e862116f049c3b964602b07a3ed5d96df

SHA256
3df7130ab7eae667c465ec329eec2df382ab57da3432fb1a8808cfd0f31ce695

SHA512
6eb77db1d23b3f16dc34217f6c90305c301b8f2931fc85ff3c036c6889a818416d6eb491474fd33545ee9bdc9d797a0192b41b974c59344510b78ec7afa37adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
995335709066b43244e8f35e81b1f41a

SHA1
6a048eae491e2d1112e17e58a8d4512fc9a8845e

SHA256
66ac95183bf4a151c626d9ef11074de026ede30cbcf23ce3848d777fc0de8128

SHA512
0383beb15bf18f5cb967752e154dd35d4a002822a21508c2890190a90a9b4af71a690b67707bcdfc483cfee32a2f791b05fe565c89162461c773284e8dd7ab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
23cad07917aabc221334f74e3d03a456

SHA1
2de22774daf4a6333bb5502a3e378e64ff767e9a

SHA256
abe009821766ed074070a56229f66dd9b5dd413dbe67fd19f169f0c092b7d3ae

SHA512
b14f671cde984aa7484ea3dfd993de8af85f86723142f12fd29bfc71ef1226bc528742fe9fa1424a4c4ecaa11e06a7c2b86379caf13566e68cbd36b06e7147e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
71KB

MD5
418c81727a1620706339483ac1a8a3cc

SHA1
fc14ed8b2f96ca1d04db15ecfca428fe3c2adac7

SHA256
4210c9e62125af2c0252e485c0ea7b11e120a3f2a972fdc343fd4861b0b1b284

SHA512
155a645a4a656d4eba28f0440ec045cec523f408c25ffcf4743d0fb1ae178cbd23cbff54319c2f218ebb0bba37d87388410e602034c5b8c793633ea11fc9da2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
184a7bf566a1d55d176ffca0e973a6c0

SHA1
c3a596ff6368d92a9c83027d5de3b32411c2b4a5

SHA256
21812845ef2140d30c1427c15c86c13275995bb3f33ecf46f865923c278fca8c

SHA512
d6a226d12faeac6813c9207e227145905bfd518229517c2b8f79eab8e77fde8a7d1d32d65f6e8107612aa507a26794000c8607a5b25aa877bdb789c1514c3a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\stdole.dll

Filesize
21KB

MD5
a390735ec9f5136a1228c5c855672848

SHA1
7357d079dafd1d63a3eba255bec2152f83f8cb35

SHA256
8cc8b5f4aac936407520b2e792a2bff207ed80df60a316a52d569f9d248b5872

SHA512
834a59231f36d4b98e9535ab1e3ab735aa1d4ff34a28051f694ff582abccd5ada9ec88bbb57c6f391b0498f4638d5dd44631acd7930952979ceaf93f2f20de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\ucrtbase.dll.tmp

Filesize
1.2MB

MD5
323e0f76d69b62f23dc32c11da64d00f

SHA1
c133550b2783f731cd0213cc64847fdd9cbd895b

SHA256
4297ac90f7f4fa0c9112e855dd725c3f7ab4431e2dac84ee2ed7c7b93d4731b7

SHA512
0b4fd081f5cca392f185560de699f1c53bcb351d29be47ad439a95cbc7bea8e23c37e33d3a2e7c2e1d89c3a50619a6ab355128ac334cbf1a7922667d6e332d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\vccorlib140.dll

Filesize
262KB

MD5
1b3229660d446d18e5659d74fe84d2aa

SHA1
e27b0e3e98d13a0d5860618a674743da0d3b57b8

SHA256
d43812f712f02a50017128463c357eae8f78b665353f889848f59a9faefd8ff7

SHA512
bdfa91ac0962d56671aadf2ed45f4079faca08aece763201a19f79b74aed7c547252879e021169f491bf0bd2e3048529ca99900d7adf4eb0a133cc4fc4d3a7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e582882\CONTROL\product.dat

Filesize
128KB

MD5
354aa892785e306f30856e0b2e7d4546

SHA1
33457f5aa9326e153e7748a58c836cc1ee94973d

SHA256
71da50e92aa3097b516ea7c42718c83fff187b63faa4945ddf62bbcf13dc2897

SHA512
029f3bdfec5027d25dd2f8191795efdd3c761e3c2bffcc235cc38a83fc59e9179f2044691cb6905e6a3ae5c3422430781f2fb49332304851e97455d61b893cef

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LYDW0LI5I3P10M6ZKJOQ.temp

Filesize
8KB

MD5
e322ba49bf91fcb2e8177f4d115563ce

SHA1
27b7d5dd6e51d77877b8c03d9bd6e2abadce8e13

SHA256
e99f5703d428e3a0d618a0f7817dc2562dfa836ec7341db3b298eef222214ec9

SHA512
e138ca762a2bbbaca76b874bfcc60c556292c97c1e7e5ddd586601f5381b547b286a4852ffa860ca6cdc211257e2d25eea51a9c4cc7733c9771225a851087026

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

Filesize
104KB

MD5
65d632e063055d1a328424c493c4decc

SHA1
e0781b436f6dc83032b8045c5018c461e47637a1

SHA256
81d452cf998ff5b138f9b3077c9e2c03c18b3e4b3dc284544c8a9e7b269330d4

SHA512
3a2a90afce6ccc22f4ecaab1f36e790718e6c94b62186be4f51e4de096b52c9895643e8797fc1afe233f5930051626814eff9e502dcc7fd9e3fb02aee89d36c9

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
224B

MD5
b74eca7ccf1bbe78edaa631e1b5d4974

SHA1
7d3ea41eed9addeec7822927696ef541fe90e3ef

SHA256
501fb9d7c368eafd9175aeccd5994841b3b30a88e9c5795506d487981d82fcaf

SHA512
b8dbd958e672c95410759bb54ae1ac75fa017bd1b6ede1ff7eb900bc8957a46bffafc71c2ac2eab51872fb6960687356ab696e909eadf370f2ed0a111128d652

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_12_10.log

Filesize
5KB

MD5
5f0dd11da3a4110e7a8922d23f010800

SHA1
0f73e7fe58df60148422c8a3f4c4a8009ac16860

SHA256
3b9c8cc106c21dbe289569fb98250aadeb86d34fbc11e9a0f606f60abb039830

SHA512
f1607535f36ba84c4f9219fbef30ec3488c10f2f63b2abe1c209a7423c057d7111584385f627fd1019b0c07da014b0d6aa3101073a865d379f6c4d56d7a48fe7

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
13134d1c0c2ebf5fb41ed3240281704e

SHA1
19c068458a8bfdb2e5a68cc20d052368c890b773

SHA256
471849f45558b810f842637061d43d7cf306c0013ad485ae4ebd73f83a8fee8f

SHA512
3682114008260fb67c9fc22e146a3351c383f3db3873a1b74803f9404c0505e2d2c6852431edb5c09f3616cfb049a951a54a291e0587b2f02ff6f1c46f15bc08

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
d593ce0947819297c7e30563104c7909

SHA1
e4bb739f6659b3ffa09daa8e41bba8897623f4cc

SHA256
38e484cfe7ea73ab146d4bc64b4b772f2c4956bd1d5363fc2fcb67dd45386a55

SHA512
7b2ecb6f8a701c43aaca6e94d584b8e09c0d2e94cf54c7a1db3d6d09b75950afbbdd4a41ca74132dea8424624e9c48d8bf1e2bbf428693dea120856da771e690

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
31KB

MD5
a7ec3ade7927d26021ab2e82843a0b78

SHA1
3fc9315bfe5109cee8e7bd7c78837a6c51960d06

SHA256
c55bd6df126cbd3bc11e148e535c18e949c0b42a6d1387619614711248068a2f

SHA512
0602e35ff9e1d9caf32254a57276edbfb2f3164c42cf4f546aebebeb44c0af034dc1a96d739a0e081334feb448d4aecb0816a45bd15fdae0b39d93db9cbf6f39

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
50KB

MD5
e8fa706bbc65a5ee12116e9f1a23de0e

SHA1
ec0d0aff75d187293ab86945f8cecea6218736dd

SHA256
529513edb5f1348288c5fc515e796a1b3e347d72bdc9692ebb4f599f9a56756f

SHA512
1cb69196d50006060932902c525e6f53cc5e7fa15f0524a1091bccfc6783878198ac208443e33b73ec5a3de36a9c03a6265b27a819fff0db3acb6d4175118d5a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
59KB

MD5
41b416e78d2152c82ab6ca34fe40defa

SHA1
4d7cbcd3de5019f8d2837a11670e97f797290a3a

SHA256
e1af59a4a1f0f7406ac8100ca1ecdd3f065fe503b7606968873c587be805977c

SHA512
424451b282d51a157c16934b3830e5675273c224c557a3706f4418e6df18bd9858d788456ed05dd2d4c4bf577bf77f0af7afb3b413bf830ff965747a621d78cd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat

Filesize
64KB

MD5
c8865365024d3d83ab8cb2047a612925

SHA1
5f422e9d76ca4f7a60cdaae025e85e9514ab94a5

SHA256
57862f2753bcc576e564b80a8b833c1d6b5c741c844b534d3a589baaf2fa58fd

SHA512
9c2d5e2b6e3d8b5a44ca7c2f85d3b32d085823d944b3874a30b786d51417b24655f9f1a3fb1d21b8463b630bce54c7b5deabfb912814139a9e74d8b6b4ccb756

Download Submit
memory/100-4741-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/100-4756-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/376-227-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/376-4477-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/376-2459-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/468-4792-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/468-4767-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/832-4811-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/832-4826-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/832-5051-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/832-5046-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/864-5111-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/864-5081-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/872-5385-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/872-5391-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/932-5312-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/932-5314-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1016-5160-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1016-5130-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1032-4894-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1032-4881-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1108-5509-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1108-5526-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1224-5427-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1224-5439-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1280-4719-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1280-4690-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1412-5458-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1416-5308-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1416-5276-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1444-4508-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4500-0x000000006EC10000-0x000000007035E000-memory.dmp

Filesize
23.3MB

Download
memory/1444-4509-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4504-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4505-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4511-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4512-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4513-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4514-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1444-4510-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4502-0x000000006E1F0000-0x000000006EC09000-memory.dmp

Filesize
10.1MB

Download
memory/1444-4624-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1444-4501-0x000000006BD90000-0x000000006C518000-memory.dmp

Filesize
7.5MB

Download
memory/1444-4507-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1444-4506-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1516-5546-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1516-5558-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1716-4633-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1716-4635-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1852-4442-0x000000006BC00000-0x000000006C388000-memory.dmp

Filesize
7.5MB

Download
memory/1852-4449-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4470-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/1852-4471-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1852-4443-0x000000006FB10000-0x000000007125E000-memory.dmp

Filesize
23.3MB

Download
memory/1852-4444-0x000000006EC70000-0x000000006F689000-memory.dmp

Filesize
10.1MB

Download
memory/1852-4446-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1852-4447-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4448-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4455-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4450-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4451-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4445-0x000000006B890000-0x000000006B8A0000-memory.dmp

Filesize
64KB

Download
memory/1852-4452-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4453-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4454-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1852-4456-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/1928-5407-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1928-5373-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2072-5489-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2072-5491-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2268-4862-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2268-4835-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2356-5261-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2356-5221-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-20-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-509-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-27-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-4440-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-22-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-23-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-19-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-3807-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-508-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-26-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-21-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-3806-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-18-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-14-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-13-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-12-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-2-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2360-5-0x0000000000891000-0x0000000000892000-memory.dmp

Filesize
4KB

Download
memory/2360-11-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2360-10-0x0000000000890000-0x0000000000DF0000-memory.dmp

Filesize
5.4MB

Download
memory/2580-4954-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-4944-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-4625-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-4647-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2932-5331-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2932-5354-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3060-4601-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3060-4562-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3212-5020-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3212-5057-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3460-5480-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3604-4596-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3604-4487-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4490-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4491-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4478-0x000000006EC10000-0x000000007035E000-memory.dmp

Filesize
23.3MB

Download
memory/3604-4492-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3604-4480-0x000000006BD90000-0x000000006C518000-memory.dmp

Filesize
7.5MB

Download
memory/3604-4485-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4479-0x000000006E1F0000-0x000000006EC09000-memory.dmp

Filesize
10.1MB

Download
memory/3604-4489-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4482-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4484-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4483-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4488-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3604-4486-0x000000006B880000-0x000000006B890000-memory.dmp

Filesize
64KB

Download
memory/3860-5450-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3860-5466-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4080-4638-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4080-4636-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4192-5034-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4308-5392-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4308-5399-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4340-4543-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4340-4541-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4408-5063-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4408-5003-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4568-5344-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4568-5341-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-3981-0x0000000073190000-0x00000000732AF000-memory.dmp

Filesize
1.1MB

Download
memory/4592-1211-0x0000000073190000-0x00000000732AF000-memory.dmp

Filesize
1.1MB

Download
memory/4592-3980-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-43-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-1210-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4592-4476-0x0000000073190000-0x00000000732AF000-memory.dmp

Filesize
1.1MB

Download
memory/4592-4475-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4708-4913-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4708-4925-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4712-4973-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4712-4982-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4744-5517-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4744-5515-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-5520-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-5518-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5056-4681-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5056-4656-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5056-5485-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5056-5472-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5116-5180-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5116-5210-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download