bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
Size

28KB
MD5

d23e18e8803bf90e5170e2af9c706aae
SHA1

c9b8cdac25f867831a124eb1a86356b773de1d8a
SHA256

bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f
SHA512

788aa97737c2eddf8258113f6a3351c2b12959c4a02e7c5162f075a12718a43cadc4a8483b42811904bc87aed36561628fa9ad8710df59da3b353461facca6d6
SSDEEP

384:nSuZdU1AAziEyXDWAwVgLqVHp2YtjupdT8Fj0eohDTkVOhvF27z/2z:nLj8iEEQiqVHUYkpNWC9yoYf

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

YoudaoDict_silent4.exeOfficeAssist.0334.80.1073.exeOfficeAssist.0334.80.1073.exeYoudaoDictInstaller.exeYoudaoDictInstaller.exeassistupdate.exenotify.exe

pid	process
1184	YoudaoDict_silent4.exe
1984	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
1404	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
544	assistupdate.exe
872	notify.exe

Registers COM server for autorun 1 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Youdao\\Dict\\Application\\stable\\YoudaoGetWord64.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1348-55-0x0000000000400000-0x0000000000415000-memory.dmp	upx
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe	upx
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe	upx
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe	upx
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe	upx
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe	upx
behavioral1/memory/544-157-0x00000000009A0000-0x0000000000ADE000-memory.dmp	upx
behavioral1/memory/872-159-0x00000000003D0000-0x000000000050E000-memory.dmp	upx
behavioral1/memory/544-162-0x00000000009A0000-0x0000000000ADE000-memory.dmp	upx
behavioral1/memory/872-164-0x00000000003D0000-0x000000000050E000-memory.dmp	upx
behavioral1/memory/872-165-0x00000000003D0000-0x000000000050E000-memory.dmp	upx
behavioral1/memory/1348-167-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

636 cmd.exe

pid	process
636	cmd.exe

Loads dropped DLL 51 IoCs

Processes:

bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exeYoudaoDict_silent4.exeOfficeAssist.0334.80.1073.exeOfficeAssist.0334.80.1073.exeYoudaoDictInstaller.exeregsvr32.exeregsvr32.exeYoudaoDictInstaller.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeassistupdate.exenotify.exe

pid	process
1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
1184	YoudaoDict_silent4.exe
1184	YoudaoDict_silent4.exe
1184	YoudaoDict_silent4.exe
1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
1984	OfficeAssist.0334.80.1073.exe
1984	OfficeAssist.0334.80.1073.exe
1984	OfficeAssist.0334.80.1073.exe
1984	OfficeAssist.0334.80.1073.exe
1984	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
1184	YoudaoDict_silent4.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
1900	regsvr32.exe
564	regsvr32.exe
1184	YoudaoDict_silent4.exe
1320	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe
768	regsvr32.exe
1184	YoudaoDict_silent4.exe
980	regsvr32.exe
1184	YoudaoDict_silent4.exe
1184	YoudaoDict_silent4.exe
1184	YoudaoDict_silent4.exe
1628	regsvr32.exe
904	regsvr32.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
940	OfficeAssist.0334.80.1073.exe
544	assistupdate.exe
544	assistupdate.exe
940	OfficeAssist.0334.80.1073.exe
872	notify.exe
872	notify.exe
1984	OfficeAssist.0334.80.1073.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

YoudaoDictInstaller.exeYoudaoDictInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	YoudaoDictInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\YodaoDict = "\"C:\\Users\\Admin\\AppData\\Local\\Youdao\\Dict\\Application\\YodaoDict.exe\" -hide -autostart"	YoudaoDictInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	YoudaoDictInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exeYoudaoDictInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\open.ini	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\YodaoDict.api	YoudaoDictInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\YodaoDict.api	YoudaoDictInstaller.exe

Drops file in Windows directory 2 IoCs

Processes:

assistupdate.exenotify.exe

description	ioc	process
File created	C:\Windows\Tasks\PPTAssistantUpdateTask_Admin.job	assistupdate.exe
File created	C:\Windows\Tasks\PPTAssistantNotifyTask_Admin.job	notify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1632 taskkill.exe

pid	process
1632	taskkill.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeOfficeAssist.0334.80.1073.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib\ = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03B9-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\VersionIndependentProgID\ = "YoudaoGetWord32.Connect"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CD903-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0398-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0319-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0319-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C032E-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0398-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1729-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C171C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1712-0000-0000-C000-000000000046}\ = "Axes"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03CD-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}\ = "ColorFormat"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1534-0000-0000-C000-000000000046}\ = "ODSOFilters"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C037D-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB0F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0397-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03C4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB0F-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0397-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03CE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\TypeLib\ = "{55684B24-475C-4969-8C82-B498B5A53596}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C037A-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0386-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0393-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABFA087C-F703-4D53-946E-37FF82B2C994}\ = "IMsoAxisTitle"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0367-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1729-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03C2-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0306-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C037B-0000-0000-C000-000000000046}\ = "SharedWorkspaceFile"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C038A-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D6-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB0B-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C172E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03BA-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03C4-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D0-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03E0-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672AC-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C036C-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0390-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CD6A2-0000-0000-C000-000000000046}\ = "SignatureInfo"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C033E-0000-0000-C000-000000000046}	OfficeAssist.0334.80.1073.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0338-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0365-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672AD-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB02-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03BA-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03E3-0000-0000-C000-000000000046}\ = "PickerProperties"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0357-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C172A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C171C-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0334.80.1073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\ProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

OfficeAssist.0334.80.1073.exeYoudaoDictInstaller.exeassistupdate.exenotify.exeOfficeAssist.0334.80.1073.exe

pid	process
940	OfficeAssist.0334.80.1073.exe
1404	YoudaoDictInstaller.exe
1404	YoudaoDictInstaller.exe
544	assistupdate.exe
872	notify.exe
1984	OfficeAssist.0334.80.1073.exe
1984	OfficeAssist.0334.80.1073.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

OfficeAssist.0334.80.1073.exebbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	940	OfficeAssist.0334.80.1073.exe
Token: SeRestorePrivilege	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
Token: SeBackupPrivilege	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
Token: SeDebugPrivilege	1632	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

YoudaoDictInstaller.exeYoudaoDictInstaller.exe

pid process

1404 YoudaoDictInstaller.exe
1320 YoudaoDictInstaller.exe

pid	process
1404	YoudaoDictInstaller.exe
1320	YoudaoDictInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exeOfficeAssist.0334.80.1073.exeYoudaoDict_silent4.exeYoudaoDictInstaller.exeregsvr32.exeOfficeAssist.0334.80.1073.exe

description	pid	process	target process
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1184	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	YoudaoDict_silent4.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1348 wrote to memory of 1984	1348	bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1984 wrote to memory of 940	1984	OfficeAssist.0334.80.1073.exe	OfficeAssist.0334.80.1073.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1404	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1900	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 564	1404	YoudaoDictInstaller.exe	regsvr32.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1404 wrote to memory of 1808	1404	YoudaoDictInstaller.exe	cmd.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 1184 wrote to memory of 1320	1184	YoudaoDict_silent4.exe	YoudaoDictInstaller.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 768	564	regsvr32.exe	regsvr32.exe
PID 940 wrote to memory of 980	940	OfficeAssist.0334.80.1073.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
"C:\Users\Admin\AppData\Local\Temp\bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe
"C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe
"C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe" install "C:\Users\Admin\AppData\Local\Temp\nsd8143.tmp\install.ini" "full" 1 1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord32.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1900

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll" /s
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\regsvr32.exe
"C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll" /s
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo y| cacls "C:\ProgramData\Youdao\DeskDict\pluginconfig.ini" /c /g everyone:f
4⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Youdao\DeskDict\pluginconfig.ini" /c /g everyone:f
5⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1764

C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe
"C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe" instreport
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe
"C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe
"C:\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:980

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
4⤵
- Loads dropped DLL
PID:1628

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:904

C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
"C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe" -createtask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Users\Admin\AppData\Local\PPTAssist\notify.exe
"C:\Users\Admin\AppData\Local\PPTAssist\notify.exe" /from:ksostart
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe.bat
2⤵
- Deletes itself
PID:636

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM bbe9d72b945a40d1697f1a140bc2428f3e5fd92d574f4cd11ef5f785ec0b452f.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Youdao\DeskDict\pluginconfig.ini

Filesize
37B

MD5
9682b022c9f21d5419f690b777ef2903

SHA1
ee91525fe989229b7de798cb0ab460ba0c895bd6

SHA256
997a32ffc893c3379aa8d0c02bd5653235061c6da3107ffc3e267be82d8a66fc

SHA512
f1aa7259bbebc9ac75d882234d824c963259d890f25862502737b04ec3561b2e468331bb0e38d2c2e2be2cba934d4abb0677d9f30191c2093577fd097f33d81e

Download Submit
C:\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe

Filesize
3.5MB

MD5
3df74b4c3c066a3b8e87e117a69685e9

SHA1
706d8a1d8c9d50ebd1662da6256609bc511cace9

SHA256
79c54508ef24539a843c615d97692016ffdda8e29e8a9f3c67e01d241b23e190

SHA512
f8349bac35794e4a2ed13fa6f3466e8a81e20df77bb81a05a3ec84bcb69c573918a38aa6a0b338fa930fcb61aa1d90b8a8f8f60ceb4b62d7ae906fdd92190bd7

Download Submit
C:\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe

Filesize
3.5MB

MD5
3df74b4c3c066a3b8e87e117a69685e9

SHA1
706d8a1d8c9d50ebd1662da6256609bc511cace9

SHA256
79c54508ef24539a843c615d97692016ffdda8e29e8a9f3c67e01d241b23e190

SHA512
f8349bac35794e4a2ed13fa6f3466e8a81e20df77bb81a05a3ec84bcb69c573918a38aa6a0b338fa930fcb61aa1d90b8a8f8f60ceb4b62d7ae906fdd92190bd7

Download Submit
C:\ProgramData\kingsoft\20221124_182123\oem.ini

Filesize
436B

MD5
b378d57eb2de2228149b0c265b918c05

SHA1
1f4202512a639c090547d602df317ff9bd41fede

SHA256
f56b5a22d9730db62155e1e2a4ceaec974b464c37568ed3b17a6d172276900b7

SHA512
f61e550fa07c01eacd716946a46d0165d6cc1571bfe87f492bcf0cf103214befa266f682fefc5b300057d1823f6e4794ba574cb7052661c4916449d6fa7f0c65

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
415KB

MD5
d9fcc8881f529bb9f7b918ac8d6c3105

SHA1
4f84d9cbb7c6fc615937015c766837d53320fa3a

SHA256
375bcaf54e92ae8c84b9f3e78e95373e635c9a42a7b09af4a316a391276c24b0

SHA512
d8d7c24f0edb367aff331e4d04455735dc388a6db49171ffac95a8f0e7ebc3cdb6706a27a8d3c646aaa1edbe83c8c822ac65a7b21eb762b6f695dac95404670a

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll

Filesize
659KB

MD5
8fd1c05acc15a8b8870ccb86c6ec2ada

SHA1
888e8be948d18d581eafa89d89cdb1c4ed456554

SHA256
fd8a1a2d0afd990f30b5b535f68a235e34e0bbff23acef3bbc229ea87321ea55

SHA512
4c4ceefaed0bf24c6be25708e53c940f959e876765432c01d94124a1b2e5711b3615eb2551cc93bd2dccf9585e7c615916fdd381cfb6d7041b31ee053f701500

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
636KB

MD5
ea485a34ad18b99148a42f5682a9c4ac

SHA1
7529556258a588dd055143f70373bd95ce15a54d

SHA256
9bb8f1760570e8640154e24dbc5e80910350c4430f49ee466be0a2260f726c38

SHA512
5bef77bf28d00246959ba924d132abaab7025bf1dadb3e700833d552220d760c9412c6867bf2c994ae32cbe6414570d84f3230871cce3fb745ba98e10dafe27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe

Filesize
3.3MB

MD5
d1f8bedb26a97a78178d311a60940170

SHA1
2810324920920b85c076851e5573cbca3add2def

SHA256
adf8d9b81112ebc39efc89db0ddbb11565be7493f98c8a99386adb66e51da62b

SHA512
b4af5e6f3b5a6bfcf71a0f5b19c114aae5c40443934579643d85843141a926feaad544911eb4b1a17c2b32135578da498c6fe41d347c8b57cdab43ad38052969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe

Filesize
3.3MB

MD5
d1f8bedb26a97a78178d311a60940170

SHA1
2810324920920b85c076851e5573cbca3add2def

SHA256
adf8d9b81112ebc39efc89db0ddbb11565be7493f98c8a99386adb66e51da62b

SHA512
b4af5e6f3b5a6bfcf71a0f5b19c114aae5c40443934579643d85843141a926feaad544911eb4b1a17c2b32135578da498c6fe41d347c8b57cdab43ad38052969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe

Filesize
5.3MB

MD5
8c0148de9871f823f6c53bc3d308356e

SHA1
dd93f1ad3fb10246ed71dc717f182066f95dccfe

SHA256
aacb298af42e9df43aad23e58417a71bf4ac20a94bde339f02ce43c91d023a88

SHA512
aca1ac93a75905a3fd36c3546b72bd458e8c0fe82bc43c7ac1521f62d4fb4fdbb726449d846a5a117e0cb577cd9c6f65ecad5d8b251f0ec25d7ad49bca91c71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe

Filesize
5.3MB

MD5
8c0148de9871f823f6c53bc3d308356e

SHA1
dd93f1ad3fb10246ed71dc717f182066f95dccfe

SHA256
aacb298af42e9df43aad23e58417a71bf4ac20a94bde339f02ce43c91d023a88

SHA512
aca1ac93a75905a3fd36c3546b72bd458e8c0fe82bc43c7ac1521f62d4fb4fdbb726449d846a5a117e0cb577cd9c6f65ecad5d8b251f0ec25d7ad49bca91c71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8143.tmp\install.ini

Filesize
227B

MD5
5ea0e7e7094e5ea55f98a15a33c157a5

SHA1
cf0a39df0f0b5b938904312790f4fb84e4e473c8

SHA256
c82d96107ceb1a3ee12fe8efca5272690a9d5965c06b1672be5c25f3e1b7e24d

SHA512
529c3fe69dce782eaec87e3aa5f746760c5a66912c730160007a10070edf8b61acad0298b8977f439a9362cb208bd16639d3a810660dda146b0d31765bb1d75e

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YodaoDict.api

Filesize
176KB

MD5
4eca618c99ae526787e310d8178746e4

SHA1
078167eeacadd0b676e05d798d588528b6f0c68d

SHA256
1b3c86f7136bf11a9f71871ad49e3b0e4f5f6c704e9f3df39a1ee2013b8f79bc

SHA512
d23ddd7b774a22db348ce05288f23bcf446e615a0763bf2ea4033af7b37ea1404f48316a07fcc3534b1257c37c2a8e63ea5bb1e34c9ca95239ac35b9f54a428d

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\default_config.ini

Filesize
36B

MD5
6b41123acbcaca39a961a2844a6aa40c

SHA1
60c598de13a6138fe505c16e54a16223c644b72d

SHA256
542b73e9213cb4976de9c17c23d4f75840cf65219414778ded73f62b4329329c

SHA512
1bf794c058c17ceb12ccb6424d179fde9b58915c335bd7a918e1360ac716e369e48dd7ce47cd6223a140546bceb5e0fd6f1936b0be09b37bc41fabce023a991f

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\guid.dat

Filesize
17B

MD5
06857aff60c6e61c69f4d40fe923ea1e

SHA1
f0e3922175b127834bcd6720a2590b37bfe8fa38

SHA256
380fff896538558007f0c49384d6dd2b6e2194e65d0996955e6f711b33f34566

SHA512
679138674e1b14a167649d634f89d90394f3794968c24e0c76c3e66eae6d53cb51f63cf6ee143ac309f20a80678c1cb938d64e419f68483898b95279e4d634d0

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord32.dll

Filesize
303KB

MD5
f69fbc52b96213b02881c7018ad5c21c

SHA1
84d491368428721b6e32ecd5a3620a599187b802

SHA256
513f41181786d4105c4b1f5280a4c6e21bde160b1c5565dab63a409d64fc35bb

SHA512
9b093a4acc755f57c3ca7e760b93e079745db73a4c031fb7c41be8ce55b89414897487d53d06efd63f79599bfcd4681e46054c984ba8ce9bdaa9d44046d14719

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll

Filesize
485KB

MD5
6e9bf43c08df9b8cd711b04dbf088530

SHA1
db84827539601f8e09520d8408cf24ad722236da

SHA256
0c4ce684888ba1d3ad243819cfc0c36001f5e79b94d8528909eb5b4f6f714f6b

SHA512
08ca5616a0712a0d906d721f0b102a0dcd09e78429b9e03088f8e61472e457bc79122e43b8fd0783841e91db21a7cbfd36fa55edb4e5d46a18f0cd743f5e8476

Download Submit
C:\Users\Admin\AppData\Local\Youdao\Dict\Application\vendor.dat

Filesize
7B

MD5
072369c83ea0a34403e6a7dd6acc148a

SHA1
5a89ef184b4a0c4b5ea285c7b87d640436bc5e67

SHA256
0ac51c92d071d3b2491daf7fbf0b4a5144f98665a06c2a0ba37bc3c570291f6a

SHA512
771507829c1f8eb94347eed019a0158b7d573549651369c4596d3383a45883653afa61ba8706fe76e7af9c5a41c327e3aafa17f8f2bc03458c628b4ce4556477

Download Submit
\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe

Filesize
3.5MB

MD5
3df74b4c3c066a3b8e87e117a69685e9

SHA1
706d8a1d8c9d50ebd1662da6256609bc511cace9

SHA256
79c54508ef24539a843c615d97692016ffdda8e29e8a9f3c67e01d241b23e190

SHA512
f8349bac35794e4a2ed13fa6f3466e8a81e20df77bb81a05a3ec84bcb69c573918a38aa6a0b338fa930fcb61aa1d90b8a8f8f60ceb4b62d7ae906fdd92190bd7

Download Submit
\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe

Filesize
3.5MB

MD5
3df74b4c3c066a3b8e87e117a69685e9

SHA1
706d8a1d8c9d50ebd1662da6256609bc511cace9

SHA256
79c54508ef24539a843c615d97692016ffdda8e29e8a9f3c67e01d241b23e190

SHA512
f8349bac35794e4a2ed13fa6f3466e8a81e20df77bb81a05a3ec84bcb69c573918a38aa6a0b338fa930fcb61aa1d90b8a8f8f60ceb4b62d7ae906fdd92190bd7

Download Submit
\ProgramData\kingsoft\20221124_182123\OfficeAssist.0334.80.1073.exe

Filesize
3.5MB

MD5
3df74b4c3c066a3b8e87e117a69685e9

SHA1
706d8a1d8c9d50ebd1662da6256609bc511cace9

SHA256
79c54508ef24539a843c615d97692016ffdda8e29e8a9f3c67e01d241b23e190

SHA512
f8349bac35794e4a2ed13fa6f3466e8a81e20df77bb81a05a3ec84bcb69c573918a38aa6a0b338fa930fcb61aa1d90b8a8f8f60ceb4b62d7ae906fdd92190bd7

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
415KB

MD5
d9fcc8881f529bb9f7b918ac8d6c3105

SHA1
4f84d9cbb7c6fc615937015c766837d53320fa3a

SHA256
375bcaf54e92ae8c84b9f3e78e95373e635c9a42a7b09af4a316a391276c24b0

SHA512
d8d7c24f0edb367aff331e4d04455735dc388a6db49171ffac95a8f0e7ebc3cdb6706a27a8d3c646aaa1edbe83c8c822ac65a7b21eb762b6f695dac95404670a

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
415KB

MD5
d9fcc8881f529bb9f7b918ac8d6c3105

SHA1
4f84d9cbb7c6fc615937015c766837d53320fa3a

SHA256
375bcaf54e92ae8c84b9f3e78e95373e635c9a42a7b09af4a316a391276c24b0

SHA512
d8d7c24f0edb367aff331e4d04455735dc388a6db49171ffac95a8f0e7ebc3cdb6706a27a8d3c646aaa1edbe83c8c822ac65a7b21eb762b6f695dac95404670a

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
415KB

MD5
d9fcc8881f529bb9f7b918ac8d6c3105

SHA1
4f84d9cbb7c6fc615937015c766837d53320fa3a

SHA256
375bcaf54e92ae8c84b9f3e78e95373e635c9a42a7b09af4a316a391276c24b0

SHA512
d8d7c24f0edb367aff331e4d04455735dc388a6db49171ffac95a8f0e7ebc3cdb6706a27a8d3c646aaa1edbe83c8c822ac65a7b21eb762b6f695dac95404670a

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
415KB

MD5
d9fcc8881f529bb9f7b918ac8d6c3105

SHA1
4f84d9cbb7c6fc615937015c766837d53320fa3a

SHA256
375bcaf54e92ae8c84b9f3e78e95373e635c9a42a7b09af4a316a391276c24b0

SHA512
d8d7c24f0edb367aff331e4d04455735dc388a6db49171ffac95a8f0e7ebc3cdb6706a27a8d3c646aaa1edbe83c8c822ac65a7b21eb762b6f695dac95404670a

Download Submit
\Users\Admin\AppData\Local\PPTAssist\meihua.exe

Filesize
316KB

MD5
c7e1e0d5ae3279c8e021881e8525c31c

SHA1
0e03cd79bd8eb2d6a5edd5fa577ae287291da4fb

SHA256
4095cf3cd0c9b4cbdb5e709524436555076b030795119b227878fa2486651597

SHA512
4894764af0e37e37eb7f7cb2ddc200d5ce626b5f71732a9e02f3ae512d6e0a6b5c59d4ff80f9d3a02636181cbe073b401926652430d1c4a3df027f44d90a99b4

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist.dll

Filesize
659KB

MD5
8fd1c05acc15a8b8870ccb86c6ec2ada

SHA1
888e8be948d18d581eafa89d89cdb1c4ed456554

SHA256
fd8a1a2d0afd990f30b5b535f68a235e34e0bbff23acef3bbc229ea87321ea55

SHA512
4c4ceefaed0bf24c6be25708e53c940f959e876765432c01d94124a1b2e5711b3615eb2551cc93bd2dccf9585e7c615916fdd381cfb6d7041b31ee053f701500

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
636KB

MD5
ea485a34ad18b99148a42f5682a9c4ac

SHA1
7529556258a588dd055143f70373bd95ce15a54d

SHA256
9bb8f1760570e8640154e24dbc5e80910350c4430f49ee466be0a2260f726c38

SHA512
5bef77bf28d00246959ba924d132abaab7025bf1dadb3e700833d552220d760c9412c6867bf2c994ae32cbe6414570d84f3230871cce3fb745ba98e10dafe27d

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
636KB

MD5
ea485a34ad18b99148a42f5682a9c4ac

SHA1
7529556258a588dd055143f70373bd95ce15a54d

SHA256
9bb8f1760570e8640154e24dbc5e80910350c4430f49ee466be0a2260f726c38

SHA512
5bef77bf28d00246959ba924d132abaab7025bf1dadb3e700833d552220d760c9412c6867bf2c994ae32cbe6414570d84f3230871cce3fb745ba98e10dafe27d

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe

Filesize
3.3MB

MD5
d1f8bedb26a97a78178d311a60940170

SHA1
2810324920920b85c076851e5573cbca3add2def

SHA256
adf8d9b81112ebc39efc89db0ddbb11565be7493f98c8a99386adb66e51da62b

SHA512
b4af5e6f3b5a6bfcf71a0f5b19c114aae5c40443934579643d85843141a926feaad544911eb4b1a17c2b32135578da498c6fe41d347c8b57cdab43ad38052969

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe

Filesize
3.3MB

MD5
d1f8bedb26a97a78178d311a60940170

SHA1
2810324920920b85c076851e5573cbca3add2def

SHA256
adf8d9b81112ebc39efc89db0ddbb11565be7493f98c8a99386adb66e51da62b

SHA512
b4af5e6f3b5a6bfcf71a0f5b19c114aae5c40443934579643d85843141a926feaad544911eb4b1a17c2b32135578da498c6fe41d347c8b57cdab43ad38052969

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\OfficeAssist.0334.80.1073.exe

Filesize
3.3MB

MD5
d1f8bedb26a97a78178d311a60940170

SHA1
2810324920920b85c076851e5573cbca3add2def

SHA256
adf8d9b81112ebc39efc89db0ddbb11565be7493f98c8a99386adb66e51da62b

SHA512
b4af5e6f3b5a6bfcf71a0f5b19c114aae5c40443934579643d85843141a926feaad544911eb4b1a17c2b32135578da498c6fe41d347c8b57cdab43ad38052969

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe

Filesize
5.3MB

MD5
8c0148de9871f823f6c53bc3d308356e

SHA1
dd93f1ad3fb10246ed71dc717f182066f95dccfe

SHA256
aacb298af42e9df43aad23e58417a71bf4ac20a94bde339f02ce43c91d023a88

SHA512
aca1ac93a75905a3fd36c3546b72bd458e8c0fe82bc43c7ac1521f62d4fb4fdbb726449d846a5a117e0cb577cd9c6f65ecad5d8b251f0ec25d7ad49bca91c71a

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe

Filesize
5.3MB

MD5
8c0148de9871f823f6c53bc3d308356e

SHA1
dd93f1ad3fb10246ed71dc717f182066f95dccfe

SHA256
aacb298af42e9df43aad23e58417a71bf4ac20a94bde339f02ce43c91d023a88

SHA512
aca1ac93a75905a3fd36c3546b72bd458e8c0fe82bc43c7ac1521f62d4fb4fdbb726449d846a5a117e0cb577cd9c6f65ecad5d8b251f0ec25d7ad49bca91c71a

Download Submit
\Users\Admin\AppData\Local\Temp\ig8er.tmp\ck9ed.tmp\YoudaoDict_silent4.exe

Filesize
5.3MB

MD5
8c0148de9871f823f6c53bc3d308356e

SHA1
dd93f1ad3fb10246ed71dc717f182066f95dccfe

SHA256
aacb298af42e9df43aad23e58417a71bf4ac20a94bde339f02ce43c91d023a88

SHA512
aca1ac93a75905a3fd36c3546b72bd458e8c0fe82bc43c7ac1521f62d4fb4fdbb726449d846a5a117e0cb577cd9c6f65ecad5d8b251f0ec25d7ad49bca91c71a

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8143.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nst9040.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst9040.tmp\v6svc.dll

Filesize
152KB

MD5
55f61ea711be0b779e04b7892a22dd8a

SHA1
cdc284ca7033555a750fdd01e059dd1d0b0ce723

SHA256
edc56b07eea86ceac8222504236702a8f63de3bc8260cb49d25e78702b82a71a

SHA512
369e225f8c99f9959d2c4363810cd53831cfa61509f4cf625f134a309f927f92f649330c9db2a583ab97927743a26a75239520dd787cbf6db6d97edbb60eddd9

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\WordBook.exe

Filesize
1.8MB

MD5
5139ed29fd161186f30ff3ddbce9e8ea

SHA1
789c5194b97091f63d22f768a79506bad2c3cfcb

SHA256
21542248db45939591f0fd469afafc0264b5f5d6622e351653e269ec034a16ae

SHA512
8a6b5340fcb02abaebd4c78cb925d4e3e684f10694ad965b762cbb70faa2a9a33d9238c8ee29dd28491107225bdc7dad1fa291a2350ba24d54b1589b8156154f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\5.4.46.5554\YoudaoDictInstaller.exe

Filesize
639KB

MD5
e66efd047afdf836f9f91a902dda06e3

SHA1
0c9a02e102837fe99724f26df056bddfe8da5556

SHA256
f92ed7d03e10376710fbf2ce1e89588c0328257982841a289d279c988549161f

SHA512
dae9cfe333158a45d90178f7b2d1342ac091a92195178f53bf28b111f974fe7c504e4e8ce6b323d146eb8bfe92097ce18ea943533a244f4f7aef54ae0cd5dd4f

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe

Filesize
3.5MB

MD5
2b233a47f4dd887af3205f809095be70

SHA1
815636a6c288f6b9695f090d6f6b4ee0e4bff5c3

SHA256
6ed61174b812f5c50caacd133af94ee0ed0b600d57eed850f8b4ba0c38319b2b

SHA512
b5d5d3234c09ed6e4a1c10b286ef9500d238ac69a7c9c750ada68d89e8c177fa38b1d36edd5c843feb5d0021b05d6a135dd5882808af3292c129c284f9c90b2c

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord32.dll

Filesize
303KB

MD5
f69fbc52b96213b02881c7018ad5c21c

SHA1
84d491368428721b6e32ecd5a3620a599187b802

SHA256
513f41181786d4105c4b1f5280a4c6e21bde160b1c5565dab63a409d64fc35bb

SHA512
9b093a4acc755f57c3ca7e760b93e079745db73a4c031fb7c41be8ce55b89414897487d53d06efd63f79599bfcd4681e46054c984ba8ce9bdaa9d44046d14719

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll

Filesize
485KB

MD5
6e9bf43c08df9b8cd711b04dbf088530

SHA1
db84827539601f8e09520d8408cf24ad722236da

SHA256
0c4ce684888ba1d3ad243819cfc0c36001f5e79b94d8528909eb5b4f6f714f6b

SHA512
08ca5616a0712a0d906d721f0b102a0dcd09e78429b9e03088f8e61472e457bc79122e43b8fd0783841e91db21a7cbfd36fa55edb4e5d46a18f0cd743f5e8476

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll

Filesize
485KB

MD5
6e9bf43c08df9b8cd711b04dbf088530

SHA1
db84827539601f8e09520d8408cf24ad722236da

SHA256
0c4ce684888ba1d3ad243819cfc0c36001f5e79b94d8528909eb5b4f6f714f6b

SHA512
08ca5616a0712a0d906d721f0b102a0dcd09e78429b9e03088f8e61472e457bc79122e43b8fd0783841e91db21a7cbfd36fa55edb4e5d46a18f0cd743f5e8476

Download Submit
\Users\Admin\AppData\Local\Youdao\Dict\Application\uninst.exe

Filesize
551KB

MD5
349553494b4275679980bb99da9724e5

SHA1
ccb35167087f535d96ef52c7eb46f450d59e3c1f

SHA256
6cd011edf47e566d93af8567a45b2af77bd0ad7683e425997798afcd3db521de

SHA512
0ea8a41fc37387cff4ea3736873fffba8a4a3cf16ef9deda74a1e5a5d46aa912288ced93d120c3b63ea55e4a584782749bf143e02fbec5d8568b85a63b164af6

Download Submit
memory/544-157-0x00000000009A0000-0x0000000000ADE000-memory.dmp

Filesize
1.2MB

Download
memory/544-158-0x0000000000AE0000-0x0000000000C1E000-memory.dmp

Filesize
1.2MB

Download
memory/544-150-0x0000000000000000-mapping.dmp

Download
memory/544-162-0x00000000009A0000-0x0000000000ADE000-memory.dmp

Filesize
1.2MB

Download
memory/564-99-0x0000000000000000-mapping.dmp

Download
memory/636-166-0x0000000000000000-mapping.dmp

Download
memory/768-117-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/768-114-0x0000000000000000-mapping.dmp

Download
memory/872-165-0x00000000003D0000-0x000000000050E000-memory.dmp

Filesize
1.2MB

Download
memory/872-153-0x0000000000000000-mapping.dmp

Download
memory/872-159-0x00000000003D0000-0x000000000050E000-memory.dmp

Filesize
1.2MB

Download
memory/872-160-0x0000000000250000-0x000000000038E000-memory.dmp

Filesize
1.2MB

Download
memory/872-164-0x00000000003D0000-0x000000000050E000-memory.dmp

Filesize
1.2MB

Download
memory/872-161-0x0000000000250000-0x000000000038E000-memory.dmp

Filesize
1.2MB

Download
memory/904-141-0x0000000000000000-mapping.dmp

Download
memory/940-78-0x0000000000000000-mapping.dmp

Download
memory/940-156-0x0000000002530000-0x000000000266E000-memory.dmp

Filesize
1.2MB

Download
memory/940-155-0x0000000002530000-0x000000000266E000-memory.dmp

Filesize
1.2MB

Download
memory/980-124-0x0000000000000000-mapping.dmp

Download
memory/1184-61-0x0000000000000000-mapping.dmp

Download
memory/1320-111-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1348-57-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1348-167-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1348-58-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1348-59-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1404-86-0x0000000000000000-mapping.dmp

Download
memory/1624-134-0x0000000000000000-mapping.dmp

Download
memory/1628-136-0x0000000000000000-mapping.dmp

Download
memory/1632-169-0x0000000000000000-mapping.dmp

Download
memory/1764-130-0x0000000000000000-mapping.dmp

Download
memory/1808-108-0x0000000000000000-mapping.dmp

Download
memory/1900-98-0x0000000000000000-mapping.dmp

Download
memory/1984-69-0x0000000000000000-mapping.dmp

Download
memory/1984-163-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download