0921eabc66a4d48e29977c5ff24af134c32902ef1261edf7c72997f69fe368e9

Resubmissions

24-05-2023 02:38

230524-c4r4asad53 6

Analysis

max time kernel
300s
max time network
302s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
24-05-2023 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps_office_inst.exe
Size

5.2MB
MD5

7378ff57810991a9ad40afd43f990e82
SHA1

0aa6ccab2821f5b04cfee34e593d5d77780a2a26
SHA256

0921eabc66a4d48e29977c5ff24af134c32902ef1261edf7c72997f69fe368e9
SHA512

30168609800005f3341cbefdf8a159fe2ab1f8e086c0c4232276fb12c2ab973a96844894d3212e7e62f8a22cab2745658c2d3a0222e335169162e1d520495553
SSDEEP

98304:X4C9MhD0WgRTGcrafnOSqJcA2r9Guklwty0I1BYFo/xjLC:XaD0WgBfrayU9DFt7ITxC

Score

6^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wpscloudsvr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exed53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exewps_office_inst.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
File opened for modification	\??\PhysicalDrive0	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	wps_office_inst.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wps_office_inst.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	wps_office_inst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe

description	ioc	process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe

Executes dropped EXE 31 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exed53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewps.exewps.exewps.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpsupdate.exewpscloudsvr.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewps.exe

pid	process
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4412	ksomisc.exe
516	ksomisc.exe
4320	wpscloudsvr.exe
2316	ksomisc.exe
2064	ksomisc.exe
2440	ksomisc.exe
4460	ksomisc.exe
4252	ksomisc.exe
4684	ksomisc.exe
3080	wps.exe
764	wps.exe
4776	wps.exe
3476	ksomisc.exe
2716	ksomisc.exe
4964	ksomisc.exe
2160	ksomisc.exe
788	ksomisc.exe
4324	ksomisc.exe
2496	ksomisc.exe
436	wpsupdate.exe
828	wpsupdate.exe
3912	wpscloudsvr.exe
4752	wpscloudsvr.exe
4184	ksomisc.exe
3672	ksomisc.exe
2088	ksomisc.exe
4720	ksomisc.exe
992	ksomisc.exe
1756	wps.exe

Loads dropped DLL 64 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exe

pid	process
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
4412	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

ksomisc.exeksomisc.exeregsvr32.exeksomisc.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\mui\\default\\resource\\ksee\\EqnEdit.exe"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\et.exe /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class\ = "WPS.Office.Interop.Wps.GlobalClass.9"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\kwpsmenushellext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /et /Preview"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wpp /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /et"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\kmso2pdfplugins64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\kmso2pdfplugins64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{0C7FEF07-DCD9-4120-9647-D1CE32F289CD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wps /Preview"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003100320030007e0031002e003100310035005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1120~1.115\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak	ksomisc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ksomisc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeksomisc.exeksomisc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KPdf.Html2Pdf\ = "Html2Pdf class"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{00020953-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020980-0000-0000-C000-000000000046}\ = "Revisions"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{00020965-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020849-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C0381-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03A2-0000-0000-C000-000000000046}\ = "ThemeColorScheme"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020848-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C0386-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000C0411-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WPP.PPTX.6\shell\open	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C0388-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03A4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03E4-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{0002095C-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000209DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{BA72E555-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020923-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{1641E775-2277-46DE-A06D-8C49C3C5D5E7}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{A2E94180-7564-4D97-806B-BBC0D0A1350C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{E2E8A400-0615-427D-ADCC-CAD39FFEBD42}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{0002097C-0000-0000-C000-000000000046}\ = "Indexes"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000208C4-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{91493483-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.ppa\OpenWithProgids	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000C0320-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C1709-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{F01943FF-1985-445E-8602-8FB8F39CCA75}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{396F9073-F9FD-11D3-8EA0-0050049A1A01}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{0002096E-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C0312-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C036E-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{0002440F-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020881-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615EA8C1-CF15-49E1-AFA9-636AAE000C20}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000C03BF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03A4-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000C03C9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{0002098E-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\ = "PageSetup"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{DFF99AC2-CD2A-43AD-91B1-A2BE40BC7146}\ = "CoAuthLocks"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{00020914-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{00020870-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{0002447D-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{000C1724-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000208A3-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{8245795B-9AED-4943-A16D-E586ED8180D1}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Interface\{0002443C-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03D5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000C03C9-0000-0000-C000-000000000046}\ = "SmartArtLayouts"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\WOW6432Node\Interface\{000208C9-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wpsupdate.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wpsupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe

Suspicious behavior: AddClipboardFormatListener 24 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpsupdate.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewps.exe

pid	process
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4412	ksomisc.exe
516	ksomisc.exe
2316	ksomisc.exe
2064	ksomisc.exe
2440	ksomisc.exe
4460	ksomisc.exe
4252	ksomisc.exe
4684	ksomisc.exe
3476	ksomisc.exe
2716	ksomisc.exe
4964	ksomisc.exe
2160	ksomisc.exe
788	ksomisc.exe
4324	ksomisc.exe
2496	ksomisc.exe
436	wpsupdate.exe
828	wpsupdate.exe
4184	ksomisc.exe
3672	ksomisc.exe
2088	ksomisc.exe
4720	ksomisc.exe
992	ksomisc.exe
1756	wps.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wps_office_inst.exed53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exed53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exewpscloudsvr.exeksomisc.exe

pid	process
3980	wps_office_inst.exe
3980	wps_office_inst.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4412	ksomisc.exe
4412	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
4320	wpscloudsvr.exe
4320	wpscloudsvr.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe

pid process

4260 d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exe

description	pid	process
Token: SeDebugPrivilege	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeRestorePrivilege	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Token: SeDebugPrivilege	4412	ksomisc.exe
Token: SeDebugPrivilege	516	ksomisc.exe
Token: SeDebugPrivilege	2316	ksomisc.exe
Token: SeDebugPrivilege	2064	ksomisc.exe
Token: SeDebugPrivilege	2440	ksomisc.exe
Token: SeDebugPrivilege	4460	ksomisc.exe
Token: SeDebugPrivilege	4252	ksomisc.exe
Token: SeDebugPrivilege	4684	ksomisc.exe
Token: SeDebugPrivilege	3476	ksomisc.exe
Token: SeDebugPrivilege	2716	ksomisc.exe
Token: SeDebugPrivilege	4964	ksomisc.exe
Token: SeDebugPrivilege	2160	ksomisc.exe
Token: SeDebugPrivilege	788	ksomisc.exe
Token: SeDebugPrivilege	4324	ksomisc.exe
Token: SeDebugPrivilege	2496	ksomisc.exe
Token: SeDebugPrivilege	4184	ksomisc.exe
Token: SeDebugPrivilege	3672	ksomisc.exe
Token: SeDebugPrivilege	2088	ksomisc.exe
Token: SeDebugPrivilege	4720	ksomisc.exe
Token: SeDebugPrivilege	992	ksomisc.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exeksomisc.exewps_office_inst.exe

pid	process
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4252	ksomisc.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe
3980	wps_office_inst.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

pid	process
4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
4412	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
516	ksomisc.exe
2316	ksomisc.exe
516	ksomisc.exe
2064	ksomisc.exe
2440	ksomisc.exe
4460	ksomisc.exe
4252	ksomisc.exe
4684	ksomisc.exe
3476	ksomisc.exe
2716	ksomisc.exe
4964	ksomisc.exe
2160	ksomisc.exe
788	ksomisc.exe
4324	ksomisc.exe
2496	ksomisc.exe
436	wpsupdate.exe
828	wpsupdate.exe
436	wpsupdate.exe
828	wpsupdate.exe
4184	ksomisc.exe
3672	ksomisc.exe
2088	ksomisc.exe
4720	ksomisc.exe
992	ksomisc.exe
1756	wps.exe
1756	wps.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3980 wrote to memory of 4260	3980	wps_office_inst.exe	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
PID 3980 wrote to memory of 4260	3980	wps_office_inst.exe	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
PID 3980 wrote to memory of 4260	3980	wps_office_inst.exe	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
PID 3340 wrote to memory of 4412	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4412	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4412	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 516	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 516	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 516	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 4260 wrote to memory of 4320	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 4260 wrote to memory of 4320	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 4260 wrote to memory of 4320	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	wpscloudsvr.exe
PID 3340 wrote to memory of 2316	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2316	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2316	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 2316 wrote to memory of 4472	2316	ksomisc.exe	regsvr32.exe
PID 2316 wrote to memory of 4472	2316	ksomisc.exe	regsvr32.exe
PID 2316 wrote to memory of 4472	2316	ksomisc.exe	regsvr32.exe
PID 2316 wrote to memory of 4752	2316	ksomisc.exe	wpscloudsvr.exe
PID 2316 wrote to memory of 4752	2316	ksomisc.exe	wpscloudsvr.exe
PID 2316 wrote to memory of 4752	2316	ksomisc.exe	wpscloudsvr.exe
PID 4752 wrote to memory of 4476	4752	wpscloudsvr.exe	regsvr32.exe
PID 4752 wrote to memory of 4476	4752	wpscloudsvr.exe	regsvr32.exe
PID 2316 wrote to memory of 4220	2316	ksomisc.exe	regsvr32.exe
PID 2316 wrote to memory of 4220	2316	ksomisc.exe	regsvr32.exe
PID 2316 wrote to memory of 4220	2316	ksomisc.exe	regsvr32.exe
PID 4260 wrote to memory of 2064	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 4260 wrote to memory of 2064	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 4260 wrote to memory of 2064	4260	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2440	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2440	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2440	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4460	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4460	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4460	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4252	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4252	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4252	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4684	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4684	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4684	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 4684 wrote to memory of 3080	4684	ksomisc.exe	wps.exe
PID 4684 wrote to memory of 3080	4684	ksomisc.exe	wps.exe
PID 4684 wrote to memory of 3080	4684	ksomisc.exe	wps.exe
PID 3080 wrote to memory of 764	3080	wps.exe	wps.exe
PID 3080 wrote to memory of 764	3080	wps.exe	wps.exe
PID 3080 wrote to memory of 764	3080	wps.exe	wps.exe
PID 3080 wrote to memory of 4776	3080	wps.exe	wps.exe
PID 3080 wrote to memory of 4776	3080	wps.exe	wps.exe
PID 3080 wrote to memory of 4776	3080	wps.exe	wps.exe
PID 3340 wrote to memory of 3476	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 3476	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 3476	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2716	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2716	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2716	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4964	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4964	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 4964	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2160	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2160	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 2160	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	ksomisc.exe
PID 3340 wrote to memory of 1328	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	regsvr32.exe
PID 3340 wrote to memory of 1328	3340	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe
"C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=es_ES -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office"
2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
3⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LXJlZ210Zm9udA==##LXNldGFwcGNhcA==
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -assoepub
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\\office6\ksomisc.exe" -registerqingshellext 1
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -reghtml2PdfPlugins
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\html2pdf\html2pdf.dll" /s
4⤵
PID:4092

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LXJlZ21zbzJwZGZwbHVnaW5z##LXJlZ1ByZXZpZXdIYW5kbGVy
3⤵
- Checks computer location settings
- Executes dropped EXE
- Registers COM server for autorun
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins.dll"
4⤵
PID:212

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
4⤵
PID:208

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
5⤵
- Registers COM server for autorun
PID:3648

C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="es_ES" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_E5766F7 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -setlng es_ES
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LWdldG9ubGluZXBhcmFtIDAwNjAxLjAwMDAxMDUyIC1mb3JjZXBlcnVzZXJtb2Rl##LWdldGFidGVzdCAtZm9yY2VwZXJ1c2VybW9kZQ==
2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:516

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LXNldHNlcnZlcnM=##LXJlZ2lzdGVy
2⤵
- Checks computer location settings
- Executes dropped EXE
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins.dll"
3⤵
PID:4472

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
3⤵
PID:4752

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
4⤵
PID:4476

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\html2pdf\html2pdf.dll" /s
3⤵
- Modifies registry class
PID:4220

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LUFzc293b3Jk##LUFzc29leGNlbA==##LUFzc29wb3dlcnBudA==##LWNvbXBhdGlibGVtc28=##LWNoZWNrY29tcGF0aWJsZW1zbw==##LXNhdmVhc19tc28=##LWRpc3RzcmMgMDA2MDEuMDAwMDEwNTI=
2⤵
- Checks computer location settings
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -sendinstalldyn 5
2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LWNyZWF0ZWV4dGVybnN0YXJ0bWVudSAiV1BTIE9mZmljZSI=##LXVwZGF0ZXRhc2tiYXJwaW4gMTA0ODU3NiAtZm9yY2VwZXJ1c2VybW9kZQ==
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -externaltask create -forceperusermode
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe" CheckService
4⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/11.2.0.11537/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3080 /prv
4⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -createsubmodulelink startmenu "WPS Office" prometheus
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LWNyZWF0ZXN1Ym1vZHVsZWxpbmsgc3RhcnRtZW51ICJXUFMgT2ZmaWNlIiBwZGY=##LWNyZWF0ZXN1Ym1vZHVsZWxpbmsgZGVza3RvcCBwZGY=
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -createCustomDestList
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kwpsmenushellext64.dll"
2⤵
PID:1328

C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kwpsmenushellext64.dll"
3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
PID:756

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -Assopdf
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:788

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wpsupdate.exe" /from:setup
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:436

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
3⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wpsupdate.exe" -createtask
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:828

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -reghtml2PdfPlugins
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\html2pdf\html2pdf.dll" /s
3⤵
- Registers COM server for autorun
PID:4476

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -rebuildicon
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wps.exe" /prometheus /download_lang_on_start /lang=es_ES /from=autostart_after_install_onlinesetup
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\MSVCP140.dll
Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\MSVCP140_CODECVT_IDS.dll
Filesize
25KB

MD5
932652ebb62a944bcfb1322aa5719279

SHA1
af78fc029a9f5b945fe4d297de05e92dbc001f1c

SHA256
eff976b258d01ccc8ceb029ff19b90796294382ddb91dc582405245925721585

SHA512
e575a69189c1ad905fe05204ac08920b52b3787c4a48ee1b918b2c7c0fc01ee7a5ab768a10c664c0fdefabea34b18534c66df172ba5ccbd018a6b205c8469fa6

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5GuiKso.dll
Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5GuiKso.dll
Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5NetworkKso.dll
Filesize
1.1MB

MD5
053fd4e50054419244764f69003d6eb4

SHA1
b3faade6961ac4945d4661a375331026d4e895bc

SHA256
25445c156807414d04e5d2ec2bf2c0dfcf7284bd19a52d96dc5869cda16e39f7

SHA512
6cde8af0e0d226ae5d56b64150ceff4a1d648369f8a73dd306f415b1c0e5fa7e4e04ab5b8349cff34a0fbc0952d227e2299c3bd2e4f8cce52672ba2af266d757

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5SvgKso.dll
Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5SvgKso.dll
Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WidgetsKso.dll
Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WinExtrasKso.dll
Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WinExtrasKso.dll
Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5XmlKso.dll
Filesize
169KB

MD5
7bb955e6013146cecfe90212d5ae3769

SHA1
d9d7f0afe1c77e30ec9b7d70a8a81d9c201c9f8d

SHA256
17c5ec9b2778f0b4cbaf51c23395f089b6fd8fddddc1e416b047402cc0c1427a

SHA512
dd2f5f1872ef5a3a139524833a1d60f6da47b81762bb6212c44e8b38744805d79e56fac314196cba6ab7e5e898e06a29b51525c05e28898587d77a1cd073f600

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\VCRUNTIME140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\kclouddocs\mui\pt_PT\errPage.html
Filesize
14KB

MD5
444201bab3936f4a8a35c6045b74bce9

SHA1
51425a847a5c1b9258b3b00393cd5a50bbfaaa79

SHA256
50c9471ef7212ca56e2bc2def085072927c546815159544fa203901007771807

SHA512
1f1c639847f9c22fb59ee85d4db4336640f313c065012268e346daa4b4c7fb0026e87d59b5e38a9c0ad95235b1402f10947804bfd6a38963849abb577184bd29

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\de_DE\kximagemodule.qm
Filesize
23B

MD5
4aef4415f2e976b2cc6f24b877804a57

SHA1
2aa2d42c51f9cf024e3777f0dde4270388fd22ae

SHA256
307cef95dd5b36ff215055d427e1885b7fc3650c9224cf76d63056545996ff60

SHA512
c75f089a95107997b0a786e7c1191e48ec7a69aefff97daf37783791d943c612b7c1b43bcc2cacdfd15e79382e0f314c88817c7dd320f8028af3420452ce3a1c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\ja_JP\photo.qm
Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\pt_BR\kximagemodule.qm
Filesize
23B

MD5
237c99069275bf517a1e1015228eed57

SHA1
d645f40ce16f1bc0a8a442c849612a7c0dd79df4

SHA256
7b218a09051d3ca3d82f812ee8db3d2f12f1592095887c2da11a04577caa215c

SHA512
9bb5a3d32921f768059fcaa6e5f80a66c654da383ef19be7683e17a6c4d8342eae5c40e4414e89c5ce3a1026e8de11a7757485845ad91c9dde24a492a6c5c298

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\cfgs\setup.cfg
Filesize
401B

MD5
73b8ab0c1943536d500c331c228918a3

SHA1
cbe3aaf0c9c8aded03ceb3c8dc574bc5bab1396a

SHA256
8560b4b7bb84189bd10b8c0e621e0b85e984c5dd7212e8e6d749664583c49887

SHA512
9ef02a97e43186dca61361b5be78049bdf33ee8dc0c7c0caed81e15f40c2d59a725dbb4287bd3cd87fcc62ecec7c0c4b7fe7365086e78701571be01dc9084fa4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kdownload.dll
Filesize
311KB

MD5
dcdde7244d1b772e21f6489d37188e6b

SHA1
6cef9cbcca531b2c0c5b6f9a8a270b832795642f

SHA256
f164962f331bae4f4b685d4afe3ad2b008204e1951f7e14c6573855d0ebcc7c9

SHA512
d8dc2feabe2011a0e0eccbb8a6f462266e1f6e47ef1377c184a56542a4e42f15a25227320568f718cad9af30e2dffaf2d470e7551f2c986e91b71ec74e6553ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kprometheus.dll
Filesize
5.6MB

MD5
2fe8bbde8734932f3fde6e783e23359a

SHA1
21ddcf4f44519d7c0043996d7cf5ceafffa920bc

SHA256
cee30f62105e6031aa5cbea020ed121229de92cc1e1669cbcd553f4516984d24

SHA512
d40b9c363db4a7e5921c24a1dfee64bdf25bb52c76772d0bb0b77a2ed440a5f59b06499451819c8196ce89b7878d6d5ac8767672fcff487de467e953e6eafd2a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
Filesize
47.4MB

MD5
a9c34cad93f6e5515210e8db49a4e3bd

SHA1
c3a38b31bb15da65f985d4c4f4e924a9d3fc5b67

SHA256
67bd3a19a9fb81f1ade05f14ceaafc11b8a48caa0e379c6b75c32cc71952a271

SHA512
db2849787ced44dcc79011853ad3a3defa194c9c26eefed770cb4584a226806421a8a6c14670236b115d007c71e7b62e6f4482b23aa097c28f743ce917f69700

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksolite.dll
Filesize
6.3MB

MD5
80d18e1d21d5ec6fbfcf0dc99bdab283

SHA1
e8bc291190c66627fd2cb816cfb2bbcadb0d8472

SHA256
fa75536a0ec7eda04414ff7b7d396c4fa9fec167d49a9a71d6c12db7148e1ee4

SHA512
198ea8b26b411bf5f09d3d3cf16beeeebf225438e07ae44330e1448695b200cfd2046c9d5797e1eb3d9f35bacec607843401a93235dde6eebf0931636e2bcd67

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
Filesize
2.4MB

MD5
b9d13c9ead5913f8320bdc2f3bb2be07

SHA1
47c1f8fe2d7914a1177b0adc3a2ba6bb6aff21ba

SHA256
eedcc14d9678b7d7d698584e4173aca2055580f2e6dfc51dc8f61f4b91333721

SHA512
d9ef6ab8ae4b2cd5db049d4c7ec0cb01dae7033ca66bdab58705d159d7121e20c08e337a888ec57b638e316976a2ab8489e379d96fe7c2cc27fcf4be436c35fb

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
Filesize
2.4MB

MD5
b9d13c9ead5913f8320bdc2f3bb2be07

SHA1
47c1f8fe2d7914a1177b0adc3a2ba6bb6aff21ba

SHA256
eedcc14d9678b7d7d698584e4173aca2055580f2e6dfc51dc8f61f4b91333721

SHA512
d9ef6ab8ae4b2cd5db049d4c7ec0cb01dae7033ca66bdab58705d159d7121e20c08e337a888ec57b638e316976a2ab8489e379d96fe7c2cc27fcf4be436c35fb

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksqlite3.dll
Filesize
93KB

MD5
37e9c45be7dab5edb8a688eeb7226596

SHA1
deb2156782f3779ebe3e46a1553c4c9e59812543

SHA256
c5ddf10af2fa94f82ce17ed4233e6471b8822cd07ec8da4485262dd6e6ff2e58

SHA512
6315b1c9ba1cdf2d053d63818b98e9169ce5610dbf4949ef8a7f2dbbe6b4999f1cd87ac4f29c4b80949054b95c443ef18405b9fee3d233fe7bac9dd302609667

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\libcrypto-1_1.dll
Filesize
2.6MB

MD5
bc15924af953c636da638628e2f3a9fc

SHA1
f6e74e30ac71da1ab060d2932f8a6ed1193117c1

SHA256
4c37434b5bca66fa15611033e6f9c3b7cae709effeba4f67c97b3fc419f81ca7

SHA512
ac8283ff1676cf1d2c1bb2a914952ea8e7a6e9f9baabf25523160d5e0830ae2526fe5902dc71c8d2f6e6a07c5bed201372317b002fdbd9af77718931ea93f7b2

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\libcurl.dll
Filesize
441KB

MD5
1297a89f05998ce8434f7f6ecee52ba4

SHA1
3bfdc4e792227d9488c2b14811df8e90c9e7f412

SHA256
dc21fe3457e66571d22da1683ac8ed36a78ae22e1f6d856b789e89e9fe5746f2

SHA512
11221217ef0b9dbb8dc05eec340f28d95404e6bf3e75a864ef0683df1668231d2480e6cd96196fa96935477b82b3f83d9022cf27fc9a7b927537581f6664337f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\mui\ja_JP\resource\splash\hdpi\ent_background_2019_wpp.png
Filesize
233KB

MD5
d82655ee0d0411233db8691024582cf8

SHA1
266b81f265cf95f590388ba924a4fe385ed5327b

SHA256
c003bcf02a9562d885e3fa7436b29d5cff70949ccdf9058146948734f759980c

SHA512
ee3097cb811ba30e043f3b1ce2b39ceb33a9793e660a02ae5424f02fbbedb74fa367e2a687ac18d3413c0b4aa8230c87ee62ca11c25b04060e9c6c4548da0bc3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\qt\plugins\platforms\qdirect2d.dll
Filesize
1.3MB

MD5
e21da6a83e5249ec4ca7dba79dc1033e

SHA1
5127dbe2318825d39d310ba5a45d2ddebf374b1e

SHA256
05f63a8106237949792f2ee26ae34f4161222f4bcb05181d74f38d4a9fa0751d

SHA512
e99ae0853b23103f2b312369c1523fbd8a61c10095bc33796319114f14040d8ef02fb37628e0d002b5949c68ccea6734347a6b58a80302c9a4002bfa09efb2af

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\vcruntime140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\wpscloudsvr.exe
Filesize
1.0MB

MD5
b62c12e4caf4eafc3e96e4d1f2b30dd6

SHA1
99aa90d49b27e5be7f2bb7103363d863a749beb0

SHA256
7ef0b1748762e32a6d99bd73fc2868d668191034a2e90d929d93fd12bb2f0bc3

SHA512
bea5d1e856cd6c1813c6412b83d087dd4b7ff6b4c58bb1b77aa1146e2f19bdf4c51bcfddc4df1bc044b5784590ca23a38efafad7124b9f85938f422c30dff54b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\utility\install.ini
Filesize
190B

MD5
1cf5ce2a10c28fb4019916ea9440dc96

SHA1
e419ca40810f42a9dee168db832ddf0c8ea67028

SHA256
f8cec5ee25dca1bf99e0195e8ddb4413bb30b609a37922766d3d66f7858f9e00

SHA512
d55c8934cbc4b5eb853d41c9dc005c976ea856047c956b2af4ee7df5aca38adadbe6547b3b7b7a86548600c17f1f911fd04c7d89cb41a8144e3c916420a8a866

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\utility\install.ini
Filesize
499B

MD5
0714d37ce4fc179602d83b687b6a6ae7

SHA1
5f1fb78fe8a479016fde988be224613ef2bcecd5

SHA256
514656186e18e09dbe3efcf8c38934803b1eca3cdb39847809e51e441bcbcaa1

SHA512
668801e71484fb6a4fdc07056133c9885a7568a7889c8048958b4d6df6b0e039e2916ef4764b5e64b2540b1e506f91ad79b19de3c485a1d405cd51418c470295

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\utility\install.ini
Filesize
664B

MD5
a2a202f3bcdeb4a33c0d19febb0c2278

SHA1
0dfc11ea7f91961c855df98e6145c50baec09b95

SHA256
73d0a7b05e77ed8bbb007da300f1e33cdd32a5907447e7d69dc628a2f2745e99

SHA512
80762288f55d25e37e5323b8e2ae9d90b687e8fffddd3aec01c2583d5000829b90f9a574d7cf9159acccf2e9c4123936519381f2e5ef8d7d924ce86eeb386668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
Filesize
2KB

MD5
4a423fbe3b4ada7a6d09473ffc6d24fa

SHA1
83e481f4e139e4dd8fc30289bb161b72b55d1361

SHA256
7d2171c0e86d112e46830632c833c0fc0c281f37df179f5a5ff80534c3b5e71b

SHA512
4b38416018c57aa6c64d294a72aadc6eed74d7e1068592415e3597bcc3ecc363169c152b11e2566d41b172f59081514d3b36777e5e86fccca31ade2128fdeebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5CoreKso.dll
Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5WidgetsKso.dll
Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\dbghelp.dll
Filesize
1.2MB

MD5
7f5af60e9898ec93c729ffb2333dd1bf

SHA1
b3603c43c83e4819cb1d2fb322fcc3e824c84f4a

SHA256
c4936a58c39734577f8777c4bb35eb2a4b9ff03661b18d414ffd964f2816c84e

SHA512
cee7752911271c11afaa190aa8ce55447c0d202ab376915883ca5e5e539aba2f4e4594ad35d9799f5547035f1ffece4f0166e6ee77b2b8bf05950c70a27a0127

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\msvcp140.dll
Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
Filesize
60KB

MD5
d9a1df4f3880d672eb6ec3cc5fbeccdc

SHA1
2059d967cd8020232d509159c67677875cc96b28

SHA256
d2b170e55d6da0a3e951fee4b0792ca49197d202a8cfd62833e141a07154236a

SHA512
dfa866191da584e2e42cdb74886a4f00e32123f296964fb8700bf708cfafc570fbd43a98817b7314c9a1da62a69dc8c4c3a98b4f4b4e0c153b3c7ea535cd8fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
Filesize
40KB

MD5
e9fec46f673c633c616bb69229ffdaf9

SHA1
71f4939b1f10f0b6c2d380d4a3520805357b4795

SHA256
679c2d3a597101c26c15c276c09fda6f960866e161f43c9e03383e1349ae8ab2

SHA512
6a9c74f5713b9be6363edef617db818e76042d31710af0ab6b73b5cc41dbb766520ef763a85acd19886557a52cdb7e9d31b4fb22f0e0af8c3c4a22f9cc978e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\platforms\qwindows.dll
Filesize
1.3MB

MD5
99fe4c9f4470579dc144d22976da68b1

SHA1
ee23580e22256811fc2e52f877ac9d76556df3da

SHA256
d2373171742130ff41ece33029a6539561f5feca87e6828dd40ec04378e4db5d

SHA512
051614f973440046c61c245dde2fcc8e8bf30d41a6a86ecbf45de7761450b3e2d7caa08c3342ac8aae883fbb2d27661686ea22c38fb137492ce5251eebcb7bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
Filesize
60KB

MD5
2f80c65195fac45511183286bbdb072e

SHA1
99a653c49930264c8aa92c5f8f80f54d395ca6e3

SHA256
a0b9f30886f071a9748acc3ad1875de9a0ea3b9a29079cf10f08a2498ae9d67e

SHA512
93d626893e99c35882f6f183509fdf28a937c2b734d49a080da588a85755acaf1904f56bc7509deaee69f2b461a4d8e8bf33b05fa2f4579fc4f115e45cd13aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize
145KB

MD5
469aaf7b34bf53ada013dcb6343641dc

SHA1
0569064a1d7f18dfc64eb4bc18b466fd73a1e082

SHA256
41d3c0d1d52dce77bd30ad9900b5633c10ff34124e1f13bc26d2ea2e0d5423b3

SHA512
ad125a32defeb680fd8e12237c8a831d648808fa2650fec1d3759b0340ca297cf90582db410f39d6757a2e7a10ce3af4f9247fdddeb82ae6a2b1e54ed6865c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\ucrtbase.dll
Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\pl_PL\style.xml
Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\product.dat
Filesize
61KB

MD5
5bba5354586689cb44b827bed6b37964

SHA1
77b6e8d6123a3fe4b811931b2f242a85aa04a470

SHA256
18e56f52618b0b616a971f5e0dabbfeb85b33bdb37b2a5662e29c8d2949f344a

SHA512
1e828b213413053631b7eba30469ff35752e6d206a7dad8707ad31916f2559aa9dadc91f14ca92e1d91f866dee92e396c87756366b36e37a861f2fe55640b825

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1052.exe
Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini
Filesize
368B

MD5
1a5341b03aeb7a919824ecc08754ff2b

SHA1
1cb900f8bfa7739978601f23bac2babd050e189d

SHA256
b37a73785a67bbef6e281d2828a0d3240b7e382c548d104feaa896db706d19b4

SHA512
d99490693d3e3452a680a926cf92c17da986167f29310a093d2ea7d89416185ab85e860a456a5be582e57a0a67ce4598a432c7105bcb9a212c9ca64a61cce961

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini
Filesize
414B

MD5
af23c1ed02bc62390a0df7e5fba9edd5

SHA1
f524a8f15e2765456bc8803652b02c5f8e9d93ef

SHA256
0327e21ca13430ae6aceef312ffdabd0a863beb086c6ea5066ee43e254d389a7

SHA512
8c973af23fe078bd4e1ad16672b201a653a14d97ab64590263b6b2885969b372f21b82414a6254732e17a0a79c2912097e86bdfc584426c57a96ea300dc2b078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6I8ZIA8SGFXX59YK3TNQ.temp
Filesize
9KB

MD5
3bf8a98afc1bd284a370b2f463f7c7f1

SHA1
5777f203ed69d53717a7d6a8ba1d5e2da83523ec

SHA256
94b41c95c3c91e30d2f996b6918abb5afcd01cafa9547cf51d34403a051f91a2

SHA512
d749d2e401094899997a200764755f5915adf2942815297e70c0546ee501208f2ebb83476f7f424db4395b27f7cf52b9ac6bf7864b5fd3d50458db21d7b034ee

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data
Filesize
887KB

MD5
b812ff631ba3997dde5e3220f99526dc

SHA1
1e378aed23baa2a36893e22eff05fd6062291df9

SHA256
d7dd60207816a7e473aecd82be5f217baff59a67a946b822116e04258dbc1a63

SHA512
c0cf30a278a17f7aeda99108addec05f1a0d408303739a25135f8a62342b02ed72b81ca89344304b0e993ebeaf3226b40f8ec01b890b4052409cdf8d1cf81fac

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2023_05_24.log
Filesize
5KB

MD5
09f3c80fd3fe35bdcd7fafcb465d2101

SHA1
1d3896b31d3e51d0cfeda317b27183ce2432b6a5

SHA256
9c27823441f7bcbad300b0fcf96dd83957e51c91e5b43f7f3c0c1627ae98e7f5

SHA512
05fa9dd6318902c7577883166eb0d77b6590dc2a6d07ad4e414ce6bb4b44fc04e51fef590fe9ef1838032c68dc6e545a082b7938f7a2c0bc4e21aae0cac59129

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
33KB

MD5
95d35aa21efbea410d64a79988b0ce90

SHA1
5927cd71f3fc442f9561022e7ad4a2b1e0353d10

SHA256
99483a3740ef37504905afe8afd61b93cec9089863dad320b3f59a585ddc9bdd

SHA512
a9b67338f8106e937782b528a16357b3872793c318314b50fc6087faec40175e3465d8aa65e5df7e992119d1a40d9250d58504e58c88898c9108141739c1f0c6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
33KB

MD5
95d35aa21efbea410d64a79988b0ce90

SHA1
5927cd71f3fc442f9561022e7ad4a2b1e0353d10

SHA256
99483a3740ef37504905afe8afd61b93cec9089863dad320b3f59a585ddc9bdd

SHA512
a9b67338f8106e937782b528a16357b3872793c318314b50fc6087faec40175e3465d8aa65e5df7e992119d1a40d9250d58504e58c88898c9108141739c1f0c6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
33KB

MD5
95d35aa21efbea410d64a79988b0ce90

SHA1
5927cd71f3fc442f9561022e7ad4a2b1e0353d10

SHA256
99483a3740ef37504905afe8afd61b93cec9089863dad320b3f59a585ddc9bdd

SHA512
a9b67338f8106e937782b528a16357b3872793c318314b50fc6087faec40175e3465d8aa65e5df7e992119d1a40d9250d58504e58c88898c9108141739c1f0c6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
34KB

MD5
448174e8449321044784e1c36c394f3b

SHA1
fae1b577943061212a15741350fd555eb0473968

SHA256
a0af48eb976bf099b983c66e5cd41c6354b4fca3faa13b43046c1bd59ef6078f

SHA512
566054ce6253fb7c46d87591b16acc92e754bdaa0ee268422bcbe70fba0aa59c0ed61275b6620cd0e38124b157043621b2bb486658127994945c7e5b47b52ccd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
50KB

MD5
7ee8807ad4ea1f8b723c36920a5fdf4d

SHA1
edb2e23be0e233b4c7c3d9b3909dc66f443b3dbc

SHA256
ffea45b7a2d7a6d26b235fc3a1d7e38caeb0e3697426da0ea6df85ac0d05ff39

SHA512
b416c6cd08f224a55b37146d921b9f20b474ea8c0bfec0d37a8b7b4cfc5f6e3de0703711f397566af1e9a7c6ba162edb146f90e344744d5bbddda892ef59edfa

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
70KB

MD5
1de5647e5cfc85194a95711a00d47bdf

SHA1
b12c5dd51c2d9e29cbeb2a0d97e8dd6e0cf6078d

SHA256
f2d80697900c8ac447dd26f7741c6e371f29e083a5c04fcd3be000aa2f457776

SHA512
04c5952ced5fd73b1740d604745133c2f7107fa9a86d54afe1411d9f3f3ed69400697709b4b6edcd554282737c3da77c685b12e9559c7f610b1f7a846c2799aa

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
Filesize
70KB

MD5
1de5647e5cfc85194a95711a00d47bdf

SHA1
b12c5dd51c2d9e29cbeb2a0d97e8dd6e0cf6078d

SHA256
f2d80697900c8ac447dd26f7741c6e371f29e083a5c04fcd3be000aa2f457776

SHA512
04c5952ced5fd73b1740d604745133c2f7107fa9a86d54afe1411d9f3f3ed69400697709b4b6edcd554282737c3da77c685b12e9559c7f610b1f7a846c2799aa

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\11.2.0.11537\plgpack.plgx
Filesize
5KB

MD5
3916cdd02b5cf49461beb93a394c4693

SHA1
c67f93ba4e6432d3645aa4a83760f03584c6ed93

SHA256
96d0de4406b96afbaa9051ecbf6a5d1d9fab60b3c223f9fcb30091d1f236e0ab

SHA512
3ded5cae48ba8ae1f29d3d0e88ae124d0ce09b9c8d3aa6e7f86f168c26ef93954c11d082567026b4440e8c0b5d375f5dde6fba274fcbe16fd1a719eb8b8cc985

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\11.2.0.11537\wpsoffice\plugin.plg
Filesize
8KB

MD5
0c00706ffbc412532793a28c2f1d86dc

SHA1
5fe0c07516b7b6de384163d656f35aeedb4cb6e5

SHA256
3401edb61cf082de20354219b4324ee6997cd1cd5a404fe54c9b83b9e18f8f36

SHA512
fa1917dc0d2137b6468794b40291fbb0e5dc7de5e8348ab5e13e7277b02a6ebc70f99c9ba4ee11aeacae7622e6313c8a85bf793f8e55872052a72ba5e6230f0b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_eventv3.db
Filesize
12KB

MD5
40c137c0fc0fbbb9b8172138e7ca22e5

SHA1
8816041aea449e7fc866134e66f7845f6be52fe2

SHA256
965eddd9ab3817e01c43ee9913fef279c0c9dfa1fd6ec896717aaaf170707004

SHA512
eb0fe7e27827ee7c12a090b1a43b64914dc479642a9229737c41ef163eea6f466c330c95bd6cc22c76fccaf89f22da17fde65f8c5725552815a5371d5f5e2d4f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5GuiKso.dll
Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5NetworkKso.dll
Filesize
1.1MB

MD5
053fd4e50054419244764f69003d6eb4

SHA1
b3faade6961ac4945d4661a375331026d4e895bc

SHA256
25445c156807414d04e5d2ec2bf2c0dfcf7284bd19a52d96dc5869cda16e39f7

SHA512
6cde8af0e0d226ae5d56b64150ceff4a1d648369f8a73dd306f415b1c0e5fa7e4e04ab5b8349cff34a0fbc0952d227e2299c3bd2e4f8cce52672ba2af266d757

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5SvgKso.dll
Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WidgetsKso.dll
Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WinExtrasKso.dll
Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5XmlKso.dll
Filesize
169KB

MD5
7bb955e6013146cecfe90212d5ae3769

SHA1
d9d7f0afe1c77e30ec9b7d70a8a81d9c201c9f8d

SHA256
17c5ec9b2778f0b4cbaf51c23395f089b6fd8fddddc1e416b047402cc0c1427a

SHA512
dd2f5f1872ef5a3a139524833a1d60f6da47b81762bb6212c44e8b38744805d79e56fac314196cba6ab7e5e898e06a29b51525c05e28898587d77a1cd073f600

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kdownload.dll
Filesize
311KB

MD5
dcdde7244d1b772e21f6489d37188e6b

SHA1
6cef9cbcca531b2c0c5b6f9a8a270b832795642f

SHA256
f164962f331bae4f4b685d4afe3ad2b008204e1951f7e14c6573855d0ebcc7c9

SHA512
d8dc2feabe2011a0e0eccbb8a6f462266e1f6e47ef1377c184a56542a4e42f15a25227320568f718cad9af30e2dffaf2d470e7551f2c986e91b71ec74e6553ec

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kprometheus.dll
Filesize
5.6MB

MD5
2fe8bbde8734932f3fde6e783e23359a

SHA1
21ddcf4f44519d7c0043996d7cf5ceafffa920bc

SHA256
cee30f62105e6031aa5cbea020ed121229de92cc1e1669cbcd553f4516984d24

SHA512
d40b9c363db4a7e5921c24a1dfee64bdf25bb52c76772d0bb0b77a2ed440a5f59b06499451819c8196ce89b7878d6d5ac8767672fcff487de467e953e6eafd2a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
Filesize
47.4MB

MD5
a9c34cad93f6e5515210e8db49a4e3bd

SHA1
c3a38b31bb15da65f985d4c4f4e924a9d3fc5b67

SHA256
67bd3a19a9fb81f1ade05f14ceaafc11b8a48caa0e379c6b75c32cc71952a271

SHA512
db2849787ced44dcc79011853ad3a3defa194c9c26eefed770cb4584a226806421a8a6c14670236b115d007c71e7b62e6f4482b23aa097c28f743ce917f69700

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksolite.dll
Filesize
6.3MB

MD5
80d18e1d21d5ec6fbfcf0dc99bdab283

SHA1
e8bc291190c66627fd2cb816cfb2bbcadb0d8472

SHA256
fa75536a0ec7eda04414ff7b7d396c4fa9fec167d49a9a71d6c12db7148e1ee4

SHA512
198ea8b26b411bf5f09d3d3cf16beeeebf225438e07ae44330e1448695b200cfd2046c9d5797e1eb3d9f35bacec607843401a93235dde6eebf0931636e2bcd67

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksolite.dll
Filesize
6.3MB

MD5
80d18e1d21d5ec6fbfcf0dc99bdab283

SHA1
e8bc291190c66627fd2cb816cfb2bbcadb0d8472

SHA256
fa75536a0ec7eda04414ff7b7d396c4fa9fec167d49a9a71d6c12db7148e1ee4

SHA512
198ea8b26b411bf5f09d3d3cf16beeeebf225438e07ae44330e1448695b200cfd2046c9d5797e1eb3d9f35bacec607843401a93235dde6eebf0931636e2bcd67

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksqlite3.dll
Filesize
93KB

MD5
37e9c45be7dab5edb8a688eeb7226596

SHA1
deb2156782f3779ebe3e46a1553c4c9e59812543

SHA256
c5ddf10af2fa94f82ce17ed4233e6471b8822cd07ec8da4485262dd6e6ff2e58

SHA512
6315b1c9ba1cdf2d053d63818b98e9169ce5610dbf4949ef8a7f2dbbe6b4999f1cd87ac4f29c4b80949054b95c443ef18405b9fee3d233fe7bac9dd302609667

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\libcrypto-1_1.dll
Filesize
2.6MB

MD5
bc15924af953c636da638628e2f3a9fc

SHA1
f6e74e30ac71da1ab060d2932f8a6ed1193117c1

SHA256
4c37434b5bca66fa15611033e6f9c3b7cae709effeba4f67c97b3fc419f81ca7

SHA512
ac8283ff1676cf1d2c1bb2a914952ea8e7a6e9f9baabf25523160d5e0830ae2526fe5902dc71c8d2f6e6a07c5bed201372317b002fdbd9af77718931ea93f7b2

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\libcurl.dll
Filesize
441KB

MD5
1297a89f05998ce8434f7f6ecee52ba4

SHA1
3bfdc4e792227d9488c2b14811df8e90c9e7f412

SHA256
dc21fe3457e66571d22da1683ac8ed36a78ae22e1f6d856b789e89e9fe5746f2

SHA512
11221217ef0b9dbb8dc05eec340f28d95404e6bf3e75a864ef0683df1668231d2480e6cd96196fa96935477b82b3f83d9022cf27fc9a7b927537581f6664337f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\msvcp140.dll
Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\msvcp140_codecvt_ids.dll
Filesize
25KB

MD5
932652ebb62a944bcfb1322aa5719279

SHA1
af78fc029a9f5b945fe4d297de05e92dbc001f1c

SHA256
eff976b258d01ccc8ceb029ff19b90796294382ddb91dc582405245925721585

SHA512
e575a69189c1ad905fe05204ac08920b52b3787c4a48ee1b918b2c7c0fc01ee7a5ab768a10c664c0fdefabea34b18534c66df172ba5ccbd018a6b205c8469fa6

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\vcruntime140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\vcruntime140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5CoreKso.dll
Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5CoreKso.dll
Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5GuiKso.dll
Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5SvgKso.dll
Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5WidgetsKso.dll
Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\Qt5WinExtrasKso.dll
Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\kpacketui.dll
Filesize
2.9MB

MD5
f48c0dc24aa44869350b4e43879dd073

SHA1
4d219d304ca26f8ad5c81ef5f3abb713a6db861b

SHA256
11b3926d25811fe0275254b3de20a0a6819de1f3dabd5c89cbf9661a9fbb88bb

SHA512
8c65b8b1af3320739f465fae2eb4d417f832ed9de7d260a9d13e776ed06570397f34444a6f745b59bae2133dc1f67459c689f02db0791878433643c373d3db80

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\msvcp140.dll
Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
Filesize
60KB

MD5
d9a1df4f3880d672eb6ec3cc5fbeccdc

SHA1
2059d967cd8020232d509159c67677875cc96b28

SHA256
d2b170e55d6da0a3e951fee4b0792ca49197d202a8cfd62833e141a07154236a

SHA512
dfa866191da584e2e42cdb74886a4f00e32123f296964fb8700bf708cfafc570fbd43a98817b7314c9a1da62a69dc8c4c3a98b4f4b4e0c153b3c7ea535cd8fd0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
Filesize
40KB

MD5
e9fec46f673c633c616bb69229ffdaf9

SHA1
71f4939b1f10f0b6c2d380d4a3520805357b4795

SHA256
679c2d3a597101c26c15c276c09fda6f960866e161f43c9e03383e1349ae8ab2

SHA512
6a9c74f5713b9be6363edef617db818e76042d31710af0ab6b73b5cc41dbb766520ef763a85acd19886557a52cdb7e9d31b4fb22f0e0af8c3c4a22f9cc978e7a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\platforms\qwindows.dll
Filesize
1.3MB

MD5
99fe4c9f4470579dc144d22976da68b1

SHA1
ee23580e22256811fc2e52f877ac9d76556df3da

SHA256
d2373171742130ff41ece33029a6539561f5feca87e6828dd40ec04378e4db5d

SHA512
051614f973440046c61c245dde2fcc8e8bf30d41a6a86ecbf45de7761450b3e2d7caa08c3342ac8aae883fbb2d27661686ea22c38fb137492ce5251eebcb7bbd

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize
145KB

MD5
469aaf7b34bf53ada013dcb6343641dc

SHA1
0569064a1d7f18dfc64eb4bc18b466fd73a1e082

SHA256
41d3c0d1d52dce77bd30ad9900b5633c10ff34124e1f13bc26d2ea2e0d5423b3

SHA512
ad125a32defeb680fd8e12237c8a831d648808fa2650fec1d3759b0340ca297cf90582db410f39d6757a2e7a10ce3af4f9247fdddeb82ae6a2b1e54ed6865c78

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\ucrtbase.dll
Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\vcruntime140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~e575e3d\CONTROL\office6\vcruntime140.dll
Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
memory/212-5109-0x000000006E5E0000-0x000000006E5F0000-memory.dmp

Filesize
64KB

Download
memory/436-5055-0x000000006C590000-0x000000006F53C000-memory.dmp

Filesize
47.7MB

Download
memory/516-4572-0x00000000041A0000-0x00000000041B0000-memory.dmp

Filesize
64KB

Download
memory/516-4569-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/788-5011-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/828-5067-0x000000006C590000-0x000000006F53C000-memory.dmp

Filesize
47.7MB

Download
memory/992-5125-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/1756-5170-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/2064-4633-0x000000006C120000-0x000000006F0CC000-memory.dmp

Filesize
47.7MB

Download
memory/2088-5105-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/2160-4994-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/2316-4606-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/2440-4653-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/2496-5038-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/2716-4935-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/3080-4904-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/3476-4909-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/3648-5111-0x00007FF80BB70000-0x00007FF80BB80000-memory.dmp

Filesize
64KB

Download
memory/3672-5098-0x000000006C590000-0x000000006F53C000-memory.dmp

Filesize
47.7MB

Download
memory/4184-5090-0x000000006C590000-0x000000006F53C000-memory.dmp

Filesize
47.7MB

Download
memory/4252-4758-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/4324-5023-0x000000006BEE0000-0x000000006EE8C000-memory.dmp

Filesize
47.7MB

Download
memory/4412-4563-0x0000000037410000-0x0000000037420000-memory.dmp

Filesize
64KB

Download
memory/4412-4562-0x000000006D300000-0x00000000702AC000-memory.dmp

Filesize
47.7MB

Download
memory/4460-4753-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/4472-4625-0x000000006E5E0000-0x000000006E5F0000-memory.dmp

Filesize
64KB

Download
memory/4472-4624-0x000000006E560000-0x000000006E570000-memory.dmp

Filesize
64KB

Download
memory/4476-4626-0x00007FF80BBD0000-0x00007FF80BBE0000-memory.dmp

Filesize
64KB

Download
memory/4476-4627-0x00007FF80BB70000-0x00007FF80BB80000-memory.dmp

Filesize
64KB

Download
memory/4684-4900-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/4720-5119-0x000000006C440000-0x000000006F3EC000-memory.dmp

Filesize
47.7MB

Download
memory/4776-4905-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download
memory/4964-4963-0x000000006C420000-0x000000006F3CC000-memory.dmp

Filesize
47.7MB

Download