a98cc25206131a8332af1f840b12438cc337576ab3b60e8d808590fabfe99f1d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps_office_inst.exe
Size

5.2MB
MD5

0774933894f8d4e54675e959efe06c42
SHA1

2d2c240494065a2d71b6cbdd40dc90e0f809dd43
SHA256

1050973ea42dc8afcfb9d037450e9ab9485f08afcfec3d0c3f4a6fe71800cd7e
SHA512

b33f5614fcabe88177dea07df7d608013e162919bb2f313ec6e3eb4b8eb16a8f4a0ea9d3e7823920c45bb5c136a51f0ca7b8d10b7539ca9885ca59430213fadb
SSDEEP

98304:vYCjhUpyGHZFZgoGAEh3YsbLGzkY83nJfDUTPY37/uxl:vopyGHHyogxe7MJLUqu

Score

10^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\lnkfile\ShellEx	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Executes dropped EXE 20 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewps.exewps.exewps.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

pid	process
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
988	ksomisc.exe
1568	ksomisc.exe
668	wpscloudsvr.exe
1632	ksomisc.exe
1420	ksomisc.exe
1148	ksomisc.exe
1744	ksomisc.exe
1268	ksomisc.exe
856	ksomisc.exe
1884	wps.exe
632	wps.exe
432	wps.exe
588	ksomisc.exe
1528	ksomisc.exe
1328	ksomisc.exe
1268	ksomisc.exe
960	ksomisc.exe
1996	ksomisc.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

ksomisc.exeregsvr32.exeksomisc.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\et.exe /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\kwpsmenushellext64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\mui\\default\\resource\\ksee\\EqnEdit.exe"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\wps.exe\" /prometheus /wpp"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\wps.exe\" /prometheus /wps /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.114\\office6\\et.exe /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310034005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\kwpsmenushellext64.dll"	regsvr32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wps_office_inst.exeksomisc.exeksomisc.exeksomisc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	wps_office_inst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Loads dropped DLL 64 IoCs

Processes:

wps_office_inst.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exe

pid	process
2040	wps_office_inst.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wpscloudsvr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ksomisc.exewps_office_inst.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	wps_office_inst.exe
File opened for modification	\??\PhysicalDrive0	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
File opened for modification	\??\PhysicalDrive0	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Drops file in Program Files directory 1 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

description	ioc	process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ksomisc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Key created	\REGISTRY\USER\S-1-5-20	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Modifies registry class 64 IoCs

Processes:

ksomisc.exeksomisc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{00020869-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0308-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0304-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0334-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{000C1533-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00020976-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\KET.SecWorkbook.9\shell\open	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{000208A1-0000-0000-C000-000000000046}\ = "Arcs"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00024497-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002089D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0316-0000-0000-C000-000000000046}\ = "GroupShapes"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0398-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.3\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11440\\office6\\ksoapi.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002094B-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\ = "Selection"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{91493488-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\Verb\0	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C1724-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{000209CD-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{00020927-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000209A1-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{000244BF-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\WPS.Dot.6\shell\new\command	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00020926-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000209AE-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{50209974-BA32-4A03-8FA6-BAC56CC056FD}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00024486-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{0002E165-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\WPP.PPTM.6\shell\open\command	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00194002-D9C3-11D3-8D59-0050048384E3}\ = "ILicAgent"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\KWPS.Template.12\CLSID	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{56AFD330-440C-4F4C-A39C-ED306D084D5F}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{3D2F865B-E2DB-4896-BC35-6A006DF896DC}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{000244DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C0316-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00020940-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{E59544D5-C299-46A0-84C1-C51AB38F9759}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{BFD3FC23-F763-4FF8-826E-1AFBF598A4E7}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{0002096D-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{00024471-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000244E4-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000C031E-0000-0000-C000-000000000046}\ = "Shapes"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002092D-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{00024429-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{40810760-068A-4486-BEC9-8EA58C7029F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000244DE-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002E16A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002094E-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{000209EB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{53FACA33-DB22-473F-BB51-96C2C86C9304}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{0002449D-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00020924-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{E6AAEC05-E543-4085-BA92-9BF7D2474F51}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{0002096C-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{00024425-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{0002449D-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{56AFD330-440C-4F4C-A39C-ED306D084D5F}\ = "PlotArea"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{E3124493-7D6A-410F-9A48-CC822C033CEC}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\KET.Sheet.12\shell	ksomisc.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wps_office_inst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wps_office_inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wps_office_inst.exe

Suspicious behavior: AddClipboardFormatListener 14 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

pid	process
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
988	ksomisc.exe
1568	ksomisc.exe
1632	ksomisc.exe
1420	ksomisc.exe
1148	ksomisc.exe
1744	ksomisc.exe
1268	ksomisc.exe
856	ksomisc.exe
588	ksomisc.exe
1528	ksomisc.exe
1328	ksomisc.exe
1268	ksomisc.exe
960	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wps_office_inst.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exewpscloudsvr.exeksomisc.exeregsvr32.exeregsvr32.exeksomisc.exeksomisc.exe

pid	process
2040	wps_office_inst.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
988	ksomisc.exe
1568	ksomisc.exe
668	wpscloudsvr.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1568	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
1632	ksomisc.exe
392	regsvr32.exe
1536	regsvr32.exe
1632	ksomisc.exe
1632	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1420	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe
1148	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

pid process

1048 fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeDebugPrivilege	988	ksomisc.exe
Token: SeDebugPrivilege	1568	ksomisc.exe
Token: SeDebugPrivilege	1632	ksomisc.exe
Token: SeDebugPrivilege	1420	ksomisc.exe
Token: SeDebugPrivilege	1148	ksomisc.exe
Token: SeDebugPrivilege	1744	ksomisc.exe
Token: SeDebugPrivilege	1268	ksomisc.exe
Token: SeDebugPrivilege	856	ksomisc.exe
Token: SeDebugPrivilege	588	ksomisc.exe
Token: SeDebugPrivilege	1528	ksomisc.exe
Token: SeDebugPrivilege	1328	ksomisc.exe
Token: SeDebugPrivilege	1268	ksomisc.exe
Token: SeDebugPrivilege	960	ksomisc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

pid process

1048 fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

pid	process
1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
988	ksomisc.exe
1568	ksomisc.exe
1568	ksomisc.exe
1568	ksomisc.exe
1632	ksomisc.exe
1568	ksomisc.exe
1420	ksomisc.exe
1148	ksomisc.exe
1744	ksomisc.exe
1268	ksomisc.exe
856	ksomisc.exe
588	ksomisc.exe
1528	ksomisc.exe
1328	ksomisc.exe
1268	ksomisc.exe
960	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wps_office_inst.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exefdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 2040 wrote to memory of 1048	2040	wps_office_inst.exe	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
PID 820 wrote to memory of 988	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 988	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 988	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 988	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1568	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1568	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1568	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1568	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 1048 wrote to memory of 668	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 1048 wrote to memory of 668	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 1048 wrote to memory of 668	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 1048 wrote to memory of 668	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 820 wrote to memory of 1632	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1632	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1632	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1632	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 392	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 928	1632	ksomisc.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1536	928	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1632 wrote to memory of 1084	1632	ksomisc.exe	regsvr32.exe
PID 1048 wrote to memory of 1420	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 1048 wrote to memory of 1420	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 1048 wrote to memory of 1420	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 1048 wrote to memory of 1420	1048	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1148	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1148	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1148	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1148	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1744	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1744	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1744	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1744	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 820 wrote to memory of 1268	820	fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe

C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe
"C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LXJlZ210Zm9udA==##LXNldGFwcGNhcA==
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -assoepub
3⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_6D1CE4 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~6d07bf\
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -setlng en_US
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:988

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LWdldG9ubGluZXBhcmFtIDAwNjAxLjAwMDAxMDUyIC1mb3JjZXBlcnVzZXJtb2Rl##LWdldGFidGVzdCAtZm9yY2VwZXJ1c2VybW9kZQ==
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LXNldHNlcnZlcnM=##LXJlZ2lzdGVy
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\kmso2pdfplugins.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\kmso2pdfplugins64.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\kmso2pdfplugins64.dll"
4⤵
- Registers COM server for autorun
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\addons\html2pdf\html2pdf.dll" /s
3⤵
PID:1084

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LUFzc293b3Jk##LUFzc29leGNlbA==##LUFzc29wb3dlcnBudA==##LWNvbXBhdGlibGVtc28=##LWNoZWNrY29tcGF0aWJsZW1zbw==##LXNhdmVhc19tc28=##LWRpc3RzcmMgMDA2MDEuMDAwMDEwNTI=
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -sendinstalldyn 5
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LWNyZWF0ZWV4dGVybnN0YXJ0bWVudSAiV1BTIE9mZmljZSI=##LXVwZGF0ZXRhc2tiYXJwaW4gMTA0ODU3NiAtZm9yY2VwZXJ1c2VybW9kZQ==
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -externaltask create -forceperusermode
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:856

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
3⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe" CheckService
4⤵
- Executes dropped EXE
PID:632

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/11.2.0.11440/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=1884 /prv
4⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -createsubmodulelink startmenu "WPS Office" prometheus
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:588

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" groupCmd=LWNyZWF0ZXN1Ym1vZHVsZWxpbmsgc3RhcnRtZW51ICJXUFMgT2ZmaWNlIiBwZGY=##LWNyZWF0ZXN1Ym1vZHVsZWxpbmsgZGVza3RvcCBwZGY=
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -createCustomDestList
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\kwpsmenushellext64.dll"
2⤵
PID:1084

C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\kwpsmenushellext64.dll"
3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
PID:1960

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe" -Assopdf
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\MSVCP140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
5956ea87f817775966fc4d499cf47f39

SHA1
790ecaac665de2cd781dfeaed3cd97d5f70965f9

SHA256
8fd5bbca9452dab9b425d8dbc75d1e5227bf1339b6d1908b4b3abb6fff798b7d

SHA512
f7fe404ff3e40fc93a5dbe29c84289f60c55069a79ff015ead8272a5f9f005a91f8ee38643fb10c79ce2a7361d3b0e8af38481988155692318fe6d342937f813

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
3941a10c8e8fb137315baca770edeee1

SHA1
5c5f61da37a68b822ce62d652e494c951f191e7b

SHA256
0d82525623b11772a614d5c64ce5c544b2adce979990a8bf0e88a8cb26cefb67

SHA512
0448c9db272bf6727e2a99fa5a272881771efea1ecba51a961c7b0bda8daaf5bd6f9f0d740204c368e59f90ad86b4e9da9fc8a9dca935883b92b33b36c664d5f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\VCRUNTIME140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe

Filesize
2.4MB

MD5
926afdb403e734295fcba8fad08a2804

SHA1
049fdddcc28604780c43b6f92ead061e4154abb6

SHA256
e8399cd46f5806254f10bf0a125bc2a293bacbdf3ffc48cb3bd6ef3161709ad5

SHA512
fcf35cc443d87b695e5da4cb7e7cd4829236aa91bb90435f0aadec7711cd636b8d06c098f95f1a8605dde914a8226546493a07280c848a8935fcc6966596d9b5

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe

Filesize
2.4MB

MD5
926afdb403e734295fcba8fad08a2804

SHA1
049fdddcc28604780c43b6f92ead061e4154abb6

SHA256
e8399cd46f5806254f10bf0a125bc2a293bacbdf3ffc48cb3bd6ef3161709ad5

SHA512
fcf35cc443d87b695e5da4cb7e7cd4829236aa91bb90435f0aadec7711cd636b8d06c098f95f1a8605dde914a8226546493a07280c848a8935fcc6966596d9b5

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Filesize
214.1MB

MD5
03839e637f15814f19f626084e9f03fe

SHA1
17a0626ed49eaf774836930f50bf9df471574588

SHA256
33438870b8b53bc50a5f4dc5d9e850ae001f4c06e8e9fa7e84a41aad3a09971f

SHA512
620898c92867b05da397a95f9ba946903a1dfe506f4661d7764a079e670e0a021b97b5a00e9922beaaa36b30d052d48563c05059023f9b8f58ca29ea4a8e222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Filesize
214.1MB

MD5
03839e637f15814f19f626084e9f03fe

SHA1
17a0626ed49eaf774836930f50bf9df471574588

SHA256
33438870b8b53bc50a5f4dc5d9e850ae001f4c06e8e9fa7e84a41aad3a09971f

SHA512
620898c92867b05da397a95f9ba946903a1dfe506f4661d7764a079e670e0a021b97b5a00e9922beaaa36b30d052d48563c05059023f9b8f58ca29ea4a8e222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Filesize
214.1MB

MD5
03839e637f15814f19f626084e9f03fe

SHA1
17a0626ed49eaf774836930f50bf9df471574588

SHA256
33438870b8b53bc50a5f4dc5d9e850ae001f4c06e8e9fa7e84a41aad3a09971f

SHA512
620898c92867b05da397a95f9ba946903a1dfe506f4661d7764a079e670e0a021b97b5a00e9922beaaa36b30d052d48563c05059023f9b8f58ca29ea4a8e222b

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
414B

MD5
b287d41456dd89914ef14a33cb0fa26e

SHA1
c3954435bdd0f8215a1c931db725c6663190e20a

SHA256
d21e50e16e021ec5b05df4a77bae6a587990b91e0c7acfa0c2c633e3309aef1c

SHA512
80402030afb64a37259a1e15a4da9a4922a7076e76b0fb0d8060e66ff8f0ed163413de6d8628e430b3b80dffb2badd8fcd9bffff192fb289cf9648497a981b26

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
35KB

MD5
8c8afaffe762b2bc5d5f8b18ba7b50f0

SHA1
9f82f3176d0d0c43418b92a473f43f8c4dd5d88b

SHA256
4d98a4b39065cec360030595da5dfd8e8f75e691484d9a804d2fe82d0a69c1b9

SHA512
7b9a86da9d5998492bb3d5922657e0cc6dccc7939686e0c9e35bc58730ff522d96cb393fdfbc00f2b1c66045f4fec4e5d6a77d1811ea8ca87bf26d9bd83df8e4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
50KB

MD5
2ba50318d34ae6586b86b1dc9d7a1605

SHA1
3f5748329bd5a9a5a0ad429d8874f254524989a1

SHA256
9e70563d182add58e82df2ec886a541dba333c963e6d58a7bcd77a44063e6682

SHA512
e10983f0f8d9cfb57c0d98bdeb02dac48204c80fea3962b26c082c359bc63bbd562569c67ebcc725e3c2fc5ec801b64d59d3b7876dacc0e87c5725fa4a05e450

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
70KB

MD5
f360695fd11bcbf543afb1bd931c4d8d

SHA1
6970593394da768a6f87b18036257b4de81fe8d1

SHA256
1ada1dc4e183dfcb90b3318d7269a16e96f760d1f89f2efc5b0d7f8135fc864a

SHA512
05fd5d5c4fa0a5d4255b8083fcdb6cd03f302568bd7ede6c2a648c5366ed2481cde2740d2b00bafd2c6073b6c112b9fef38ad0236945686a21b132449066e097

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
70KB

MD5
f360695fd11bcbf543afb1bd931c4d8d

SHA1
6970593394da768a6f87b18036257b4de81fe8d1

SHA256
1ada1dc4e183dfcb90b3318d7269a16e96f760d1f89f2efc5b0d7f8135fc864a

SHA512
05fd5d5c4fa0a5d4255b8083fcdb6cd03f302568bd7ede6c2a648c5366ed2481cde2740d2b00bafd2c6073b6c112b9fef38ad0236945686a21b132449066e097

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
70KB

MD5
f360695fd11bcbf543afb1bd931c4d8d

SHA1
6970593394da768a6f87b18036257b4de81fe8d1

SHA256
1ada1dc4e183dfcb90b3318d7269a16e96f760d1f89f2efc5b0d7f8135fc864a

SHA512
05fd5d5c4fa0a5d4255b8083fcdb6cd03f302568bd7ede6c2a648c5366ed2481cde2740d2b00bafd2c6073b6c112b9fef38ad0236945686a21b132449066e097

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
70KB

MD5
f360695fd11bcbf543afb1bd931c4d8d

SHA1
6970593394da768a6f87b18036257b4de81fe8d1

SHA256
1ada1dc4e183dfcb90b3318d7269a16e96f760d1f89f2efc5b0d7f8135fc864a

SHA512
05fd5d5c4fa0a5d4255b8083fcdb6cd03f302568bd7ede6c2a648c5366ed2481cde2740d2b00bafd2c6073b6c112b9fef38ad0236945686a21b132449066e097

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_eventv3.db

Filesize
16KB

MD5
3533d8a1e13ffe8ca6b01c2dfbefb167

SHA1
d32179d743a69cc90393c6457087c62c6e8dbcd1

SHA256
f77cb512848a8c43e524f9940d68a70bf6b189ccec545b2846aa40155d2edcaf

SHA512
8073d3d0a7bc33c2be542d5a9bada39b2757500b2065df06eb18a0f25615cfb69a587f26832c66f8d7f7c41690ab2c5e06aaeff63146a0f4aaab36ddeb779baf

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
5956ea87f817775966fc4d499cf47f39

SHA1
790ecaac665de2cd781dfeaed3cd97d5f70965f9

SHA256
8fd5bbca9452dab9b425d8dbc75d1e5227bf1339b6d1908b4b3abb6fff798b7d

SHA512
f7fe404ff3e40fc93a5dbe29c84289f60c55069a79ff015ead8272a5f9f005a91f8ee38643fb10c79ce2a7361d3b0e8af38481988155692318fe6d342937f813

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
3941a10c8e8fb137315baca770edeee1

SHA1
5c5f61da37a68b822ce62d652e494c951f191e7b

SHA256
0d82525623b11772a614d5c64ce5c544b2adce979990a8bf0e88a8cb26cefb67

SHA512
0448c9db272bf6727e2a99fa5a272881771efea1ecba51a961c7b0bda8daaf5bd6f9f0d740204c368e59f90ad86b4e9da9fc8a9dca935883b92b33b36c664d5f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ksomisc.exe

Filesize
2.4MB

MD5
926afdb403e734295fcba8fad08a2804

SHA1
049fdddcc28604780c43b6f92ead061e4154abb6

SHA256
e8399cd46f5806254f10bf0a125bc2a293bacbdf3ffc48cb3bd6ef3161709ad5

SHA512
fcf35cc443d87b695e5da4cb7e7cd4829236aa91bb90435f0aadec7711cd636b8d06c098f95f1a8605dde914a8226546493a07280c848a8935fcc6966596d9b5

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11440\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
5956ea87f817775966fc4d499cf47f39

SHA1
790ecaac665de2cd781dfeaed3cd97d5f70965f9

SHA256
8fd5bbca9452dab9b425d8dbc75d1e5227bf1339b6d1908b4b3abb6fff798b7d

SHA512
f7fe404ff3e40fc93a5dbe29c84289f60c55069a79ff015ead8272a5f9f005a91f8ee38643fb10c79ce2a7361d3b0e8af38481988155692318fe6d342937f813

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
4f55443a780817d96f12a1ac1a280ee0

SHA1
e99ca8656a876e0adf87fff3d5404808e993dd65

SHA256
6cc010b82af986ae52c59b6763d36fc32610165bc1a07215f2d18749e02a740d

SHA512
feb5e2b9ad6d390f420f8eb4db8081f241387663bbc9caa065f1637cf0566add3ca28a37543e5198d136eb0f130f941a11e34a3f6a503f416e6496f785dea945

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\Qt5SvgKso.dll

Filesize
363KB

MD5
2f62986d22fe1b092167d329f277fa50

SHA1
b1795538d9d873e637139986f51f14c68086f9b5

SHA256
fcb80ca8ae3495917a8974ba1d4b6793f61cc6c8e4e154e88179224929db47a3

SHA512
e68598534d7232ba02ab6b3149522fab2e7e33291f7d3407a6a5d8187d30f560c109a9a4e933544ab01eefe353728207f40c9411413b5e1abbad650d3751f63a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.4MB

MD5
30ff0c5b79066969d50de8a74a62ee1b

SHA1
d1bd67ca1cb35825f11bd7c1e079bbff13d9eefb

SHA256
72f002ab4cd35fdb5a12a66e4c532110b60668ee5835dc6a65f1824f036d1d24

SHA512
4d65d2094162a090f64d51efc8caa80bcdb15ca8852944691c937500f619c36c06101d7d4e2cfcc62e7a844fa51c2f5311b0ec30d57ed2da4fddb7e0ea4b7f25

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
392KB

MD5
d7c98fd96ec0088c1e0a0e0d3593aff0

SHA1
5ad37d96967180e7f40b185133885b10ab7ed99d

SHA256
bce5bd0e9a5914086e6acb68dc510d40ad99853c878c6ce52560a841c8a05f7e

SHA512
a51c0e22d042b6ed9389efcad75e7ddc2d3d008270475f393b4e032008128404194f7eae7c13f267ab71b86f0a0b8f624c53e428423975fff2a60883ef2b9c3c

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
216b6a3b7935bef92dc9a4d98b25230d

SHA1
a4d8e351cf65928a0824b36ddf555bf259dcd1a6

SHA256
8d00a6866f49881f040bccfe254a76a6dd8a70010af3f8146229d320a294ea04

SHA512
1c5a210d53d2495c08c04de22f4d3a618fdf8613c1ae348cf16e9ee427d670fad0c98dd607c6d160c9b11fd072af63c8285c61efe425e617b9fffbc6f4243815

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
60KB

MD5
9065219684c7c0cd0e37e778ccb99d94

SHA1
e00e3af1f850f87f5fbbeedcb3539431433c7b07

SHA256
cdc8efa7425482be5dd05330a7df975eafccf9ad1f387141fb9a32b04b91ffeb

SHA512
f03d077992f7d4c16b63b5676bd74a8b57125b0dfc045e793121e494bf08877d42c8c91ff82412e1496045ba70442f67f8aba12e77ada26ab39eff9f18510e63

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
40KB

MD5
ac3b8fbf05ad7d2b26d53265aa3dda06

SHA1
fc676599c98ec8ddc5e44b921d27b866cdc9ec46

SHA256
4767fcf42958de6a6e5af87e74874590e00d722f7ee4d637d8840e4c2badfdac

SHA512
28e8e51ca3443524d65e5fe6b356194338e06e72c5e7b85520cef4ab3ddcf136002f373b10baa596127028870c5e71b60d4e92959a171e169fe2eb3710cadc21

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
eec5bcacc08e29a2ef1c29278645c361

SHA1
22825e6b31d8e3622e7ddf98180da38373b8d933

SHA256
adb0c17097ad7d8518b4d72df63b2250a0a12fe86522fa554bdf7722eb3ffe41

SHA512
bfd50397f580ac2466e8752a370635d2930a30dbfddacfa99465376d7598e9ccf5de2bf0d18e1fe1d444dfc94c95144e1add77469683725deb418fda28df1264

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
04a2d77fc88120f0fb70d8b81ddf4ddb

SHA1
a34c078a108a7e1f873852d2995c7cac214b0bb5

SHA256
429867c28bace9800de91e1eba18c482cc23872cd4461734959609469277bc67

SHA512
a6b9ae21b9dfcfec2f13f610e8a02badad00619a2ebaebdf18c388d4dc577466326bc8587bcdd002771da92a3f5ca4b4d125b4791523b2137e03a1b7b8c402d1

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6d07bf\CONTROL\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps_download\fdef099949f9e3a52a5324f75baa5d80-14_setup_XA_mui_Free.exe.601.1052.exe

Filesize
214.1MB

MD5
03839e637f15814f19f626084e9f03fe

SHA1
17a0626ed49eaf774836930f50bf9df471574588

SHA256
33438870b8b53bc50a5f4dc5d9e850ae001f4c06e8e9fa7e84a41aad3a09971f

SHA512
620898c92867b05da397a95f9ba946903a1dfe506f4661d7764a079e670e0a021b97b5a00e9922beaaa36b30d052d48563c05059023f9b8f58ca29ea4a8e222b

Download Submit
memory/392-139-0x000000006E650000-0x000000006E660000-memory.dmp

Filesize
64KB

Download
memory/392-140-0x000000006E670000-0x000000006E680000-memory.dmp

Filesize
64KB

Download
memory/392-137-0x0000000000000000-mapping.dmp

Download
memory/432-174-0x0000000000000000-mapping.dmp

Download
memory/588-180-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/588-177-0x0000000000000000-mapping.dmp

Download
memory/632-172-0x0000000000000000-mapping.dmp

Download
memory/668-131-0x0000000000000000-mapping.dmp

Download
memory/856-165-0x0000000000000000-mapping.dmp

Download
memory/928-141-0x0000000000000000-mapping.dmp

Download
memory/960-197-0x0000000000000000-mapping.dmp

Download
memory/988-124-0x000000006E110000-0x00000000710B8000-memory.dmp

Filesize
47.7MB

Download
memory/988-101-0x0000000000000000-mapping.dmp

Download
memory/988-125-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/1048-56-0x0000000000000000-mapping.dmp

Download
memory/1084-147-0x0000000000000000-mapping.dmp

Download
memory/1084-193-0x0000000000000000-mapping.dmp

Download
memory/1148-153-0x0000000000000000-mapping.dmp

Download
memory/1148-156-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/1268-161-0x0000000000000000-mapping.dmp

Download
memory/1268-189-0x0000000000000000-mapping.dmp

Download
memory/1328-185-0x0000000000000000-mapping.dmp

Download
memory/1328-188-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/1420-149-0x0000000000000000-mapping.dmp

Download
memory/1420-151-0x00000000699B0000-0x000000006C958000-memory.dmp

Filesize
47.7MB

Download
memory/1528-184-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/1528-181-0x0000000000000000-mapping.dmp

Download
memory/1536-146-0x0000000036F60000-0x0000000036F70000-memory.dmp

Filesize
64KB

Download
memory/1536-144-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1536-143-0x0000000000000000-mapping.dmp

Download
memory/1536-145-0x0000000036EE0000-0x0000000036EF0000-memory.dmp

Filesize
64KB

Download
memory/1568-128-0x000000006DED0000-0x0000000070E78000-memory.dmp

Filesize
47.7MB

Download
memory/1568-126-0x0000000000000000-mapping.dmp

Download
memory/1568-130-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1632-133-0x0000000000000000-mapping.dmp

Download
memory/1744-160-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/1744-157-0x0000000000000000-mapping.dmp

Download
memory/1884-169-0x0000000000000000-mapping.dmp

Download
memory/1960-195-0x0000000000000000-mapping.dmp

Download
memory/1996-201-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download