c07410c7c7108058993f52d95904ae107860de37c65eec124d08f96ecb68dd6d

Analysis

max time kernel
141s
max time network
152s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01/07/2023, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps_office_inst.exe
Size

5.3MB
MD5

44a568a2dc9f9ac1347e9ac1a0ccae99
SHA1

cd90bd84343455885178d6e0f4de62b72c28bd91
SHA256

c07410c7c7108058993f52d95904ae107860de37c65eec124d08f96ecb68dd6d
SHA512

513e96a767e34a50ba0e1be87e21771c8c1a855666a8a50e1136acf381aebde87711507a3d997c325839218dbee3775e8c5ebff41d9a2af9a62381b8d5f74fc5
SSDEEP

98304:rG68SvphgXraN+zRe1fuiEkdizoG5+x3dA3U/5Cdnx/7G4Dh:rLvphgLzReC18IS3d+g5C1ZV

Score

6^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
File opened for modification	\??\PhysicalDrive0	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	wps_office_inst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Control Panel\International\Geo\Nation	wps_office_inst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Control Panel\International\Geo\Nation	ksomisc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Executes dropped EXE 6 IoCs

pid	Process
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2004	ksomisc.exe
980	ksomisc.exe
1756	wpscloudsvr.exe
548	ksomisc.exe

Loads dropped DLL 64 IoCs

pid	Process
920	wps_office_inst.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe
2004	ksomisc.exe

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wpp"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\mui\\default\\resource\\ksee\\EqnEdit.exe"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /et"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wps /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class\ = "WPS.Office.Interop.Wpp.GlobalClass"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class\ = "WPS.Office.Interop.Wps.GlobalClass.9"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wps"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.11537\\office6\\wps.exe\" /prometheus /wpp /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class	ksomisc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Key created	\REGISTRY\USER\S-1-5-20	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{0002093A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{0002093F-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000209C9-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{2A852479-3632-4FD3-AF9D-ED2E6D8EC3FD}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{9CCCB867-9440-4240-AC05-2F37C6DBA860}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{0002E160-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C0333-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C0338-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000C0334-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{DD947D72-F33C-4198-9BDF-F86181D05E41}\ = "Editor"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{C13F9FD9-3617-491D-B0B5-D499CD64AD2D}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00020881-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000C03CA-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000244A5-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{00024406-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C03BB-0000-0000-C000-000000000046}\ = "TabStop2"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{00020846-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00024428-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{0002445E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000244D9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5C04BD93-2F3F-4668-918D-9738EC901039}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{53FACA33-DB22-473F-BB51-96C2C86C9304}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000209B7-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000208D9-0000-0000-C000-000000000046}\ = "_Global"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{F258DE05-C41B-4C33-A778-F0D3F98CEEB3}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000209BD-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{DF076FDE-8781-4051-A5BC-99F6B7DC04D4}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{A36438B9-CC73-4D92-B7A2-60B9E4F161E9}\ = "IWORDCtrlExtender"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000209A8-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C03B9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C0372-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{0002092E-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\KWPP.Presentation\CurVer\ = "KWPP.Presentation.9"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00024439-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00024404-0000-0000-C000-000000000046}\ = "HPageBreaks"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C0301-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000CDB06-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{00020962-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00020937-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000208CD-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\KWPS.Document.9	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000C0324-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\KET.Workbook.9\CLSID	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C03D3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{00020992-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000208DA-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000C0396-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000209A9-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00024466-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{000C03E1-0000-0000-C000-000000000046}\ = "PickerFields"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{0002441C-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{0002089B-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{6215E4B1-545A-406E-9824-0A5B5AC8AD21}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{00020915-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{0002097E-0000-0000-C000-000000000046}\ = "AddIn"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{727B38C4-2E61-429C-B535-9C11E24217BA}\TypeLib\Version = "1.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverter"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000208A6-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{0002098A-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{000C172E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wps_office_inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wps_office_inst.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2004	ksomisc.exe
980	ksomisc.exe
548	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
920	wps_office_inst.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2004	ksomisc.exe
980	ksomisc.exe
1756	wpscloudsvr.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
548	ksomisc.exe
544	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Token: SeRestorePrivilege	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Token: SeRestorePrivilege	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Token: SeRestorePrivilege	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Token: SeRestorePrivilege	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
Token: SeDebugPrivilege	2004	ksomisc.exe
Token: SeDebugPrivilege	980	ksomisc.exe
Token: SeDebugPrivilege	548	ksomisc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
2004	ksomisc.exe
980	ksomisc.exe
980	ksomisc.exe
980	ksomisc.exe
548	ksomisc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 920 wrote to memory of 1536	920	wps_office_inst.exe	27
PID 2040 wrote to memory of 2004	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	29
PID 2040 wrote to memory of 2004	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	29
PID 2040 wrote to memory of 2004	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	29
PID 2040 wrote to memory of 2004	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	29
PID 2040 wrote to memory of 980	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	30
PID 2040 wrote to memory of 980	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	30
PID 2040 wrote to memory of 980	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	30
PID 2040 wrote to memory of 980	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	30
PID 1536 wrote to memory of 1756	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	31
PID 1536 wrote to memory of 1756	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	31
PID 1536 wrote to memory of 1756	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	31
PID 1536 wrote to memory of 1756	1536	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	31
PID 2040 wrote to memory of 548	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	32
PID 2040 wrote to memory of 548	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	32
PID 2040 wrote to memory of 548	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	32
PID 2040 wrote to memory of 548	2040	d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe	32
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33
PID 548 wrote to memory of 544	548	ksomisc.exe	33

C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe
"C:\Users\Admin\AppData\Local\Temp\wps_office_inst.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
  "C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LXJlZ210Zm9udA==##LXNldGFwcGNhcA==
    3⤵
    PID:2152

C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_6CF7F6 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -setlng en_US
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LWdldG9ubGluZXBhcmFtIDAwNjAxLjAwMDAxMDk4IC1mb3JjZXBlcnVzZXJtb2Rl##LWdldGFidGVzdCAtZm9yY2VwZXJ1c2VybW9kZQ==
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:980
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LXNldHNlcnZlcnM=##LXJlZ2lzdGVy
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins.dll"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:544
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
    3⤵
    PID:1444
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\html2pdf\html2pdf.dll" /s
    3⤵
    PID:2072
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LUFzc293b3Jk##LUFzc29leGNlbA==##LUFzc29wb3dlcnBudA==##LWNvbXBhdGlibGVtc28=##LWNoZWNrY29tcGF0aWJsZW1zbw==##LXNhdmVhc19tc28=##LWRpc3RzcmMgMDA2MDEuMDAwMDEwOTg=
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" -sendinstalldyn 5
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe" groupCmd=LWNyZWF0ZWV4dGVybnN0YXJ0bWVudSAiV1BTIE9mZmljZSI=##LXVwZGF0ZXRhc2tiYXJwaW4gMTA0ODU3NiAtZm9yY2VwZXJ1c2VybW9kZQ==
  2⤵
  PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe

Filesize
1.0MB

MD5
b62c12e4caf4eafc3e96e4d1f2b30dd6

SHA1
99aa90d49b27e5be7f2bb7103363d863a749beb0

SHA256
7ef0b1748762e32a6d99bd73fc2868d668191034a2e90d929d93fd12bb2f0bc3

SHA512
bea5d1e856cd6c1813c6412b83d087dd4b7ff6b4c58bb1b77aa1146e2f19bdf4c51bcfddc4df1bc044b5784590ca23a38efafad7124b9f85938f422c30dff54b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\MSVCP140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5SvgKso.dll

Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5WinExtrasKso.dll

Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
7bb955e6013146cecfe90212d5ae3769

SHA1
d9d7f0afe1c77e30ec9b7d70a8a81d9c201c9f8d

SHA256
17c5ec9b2778f0b4cbaf51c23395f089b6fd8fddddc1e416b047402cc0c1427a

SHA512
dd2f5f1872ef5a3a139524833a1d60f6da47b81762bb6212c44e8b38744805d79e56fac314196cba6ab7e5e898e06a29b51525c05e28898587d77a1cd073f600

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\VCRUNTIME140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\kclouddocs\mui\pt_PT\errPage.html

Filesize
14KB

MD5
444201bab3936f4a8a35c6045b74bce9

SHA1
51425a847a5c1b9258b3b00393cd5a50bbfaaa79

SHA256
50c9471ef7212ca56e2bc2def085072927c546815159544fa203901007771807

SHA512
1f1c639847f9c22fb59ee85d4db4336640f313c065012268e346daa4b4c7fb0026e87d59b5e38a9c0ad95235b1402f10947804bfd6a38963849abb577184bd29

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\de_DE\kximagemodule.qm

Filesize
23B

MD5
4aef4415f2e976b2cc6f24b877804a57

SHA1
2aa2d42c51f9cf024e3777f0dde4270388fd22ae

SHA256
307cef95dd5b36ff215055d427e1885b7fc3650c9224cf76d63056545996ff60

SHA512
c75f089a95107997b0a786e7c1191e48ec7a69aefff97daf37783791d943c612b7c1b43bcc2cacdfd15e79382e0f314c88817c7dd320f8028af3420452ce3a1c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\ja_JP\photo.qm

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\photo\mui\pt_BR\kximagemodule.qm

Filesize
23B

MD5
237c99069275bf517a1e1015228eed57

SHA1
d645f40ce16f1bc0a8a442c849612a7c0dd79df4

SHA256
7b218a09051d3ca3d82f812ee8db3d2f12f1592095887c2da11a04577caa215c

SHA512
9bb5a3d32921f768059fcaa6e5f80a66c654da383ef19be7683e17a6c4d8342eae5c40e4414e89c5ce3a1026e8de11a7757485845ad91c9dde24a492a6c5c298

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\cfgs\setup.cfg

Filesize
401B

MD5
7f55c6905fe2ba1189435d15a1297e36

SHA1
efbb5d0d6e511180b640a853831e80725a7cc9db

SHA256
6bfc5bf7128729890ce1bb5687bf2236d094bb927ec3accfc64a3265be1c71ba

SHA512
e18b011dcddfd0a45f1a5435cf2d441af21ba26b38cb92292abeaf3447537144c67cea97d52eb0a63f39be7cbc63e1d1a6cd4e3b147e462e06c66d9e894db654

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe

Filesize
2.4MB

MD5
b9d13c9ead5913f8320bdc2f3bb2be07

SHA1
47c1f8fe2d7914a1177b0adc3a2ba6bb6aff21ba

SHA256
eedcc14d9678b7d7d698584e4173aca2055580f2e6dfc51dc8f61f4b91333721

SHA512
d9ef6ab8ae4b2cd5db049d4c7ec0cb01dae7033ca66bdab58705d159d7121e20c08e337a888ec57b638e316976a2ab8489e379d96fe7c2cc27fcf4be436c35fb

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe

Filesize
2.4MB

MD5
b9d13c9ead5913f8320bdc2f3bb2be07

SHA1
47c1f8fe2d7914a1177b0adc3a2ba6bb6aff21ba

SHA256
eedcc14d9678b7d7d698584e4173aca2055580f2e6dfc51dc8f61f4b91333721

SHA512
d9ef6ab8ae4b2cd5db049d4c7ec0cb01dae7033ca66bdab58705d159d7121e20c08e337a888ec57b638e316976a2ab8489e379d96fe7c2cc27fcf4be436c35fb

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\mui\ja_JP\resource\splash\hdpi\ent_background_2019_wpp.png

Filesize
233KB

MD5
d82655ee0d0411233db8691024582cf8

SHA1
266b81f265cf95f590388ba924a4fe385ed5327b

SHA256
c003bcf02a9562d885e3fa7436b29d5cff70949ccdf9058146948734f759980c

SHA512
ee3097cb811ba30e043f3b1ce2b39ceb33a9793e660a02ae5424f02fbbedb74fa367e2a687ac18d3413c0b4aa8230c87ee62ca11c25b04060e9c6c4548da0bc3

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.3MB

MD5
e21da6a83e5249ec4ca7dba79dc1033e

SHA1
5127dbe2318825d39d310ba5a45d2ddebf374b1e

SHA256
05f63a8106237949792f2ee26ae34f4161222f4bcb05181d74f38d4a9fa0751d

SHA512
e99ae0853b23103f2b312369c1523fbd8a61c10095bc33796319114f14040d8ef02fb37628e0d002b5949c68ccea6734347a6b58a80302c9a4002bfa09efb2af

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
d2ed9b66c7f150369b0d605ba9f5d019

SHA1
7b3d07bf84bee4c8c8273d5390e7cd5621b0f696

SHA256
bab163df6ecb63d01270954d84dd94c653b9c70892047c7dddd56b58a9184d27

SHA512
a1603b514f91b8edfed0b5e2c92d235500889c22238284003c11080b38090ab46dc78764987afb8bf3d1cacd7a76bdc42c0f3889d15e63a2dea9565415249fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
60KB

MD5
d9a1df4f3880d672eb6ec3cc5fbeccdc

SHA1
2059d967cd8020232d509159c67677875cc96b28

SHA256
d2b170e55d6da0a3e951fee4b0792ca49197d202a8cfd62833e141a07154236a

SHA512
dfa866191da584e2e42cdb74886a4f00e32123f296964fb8700bf708cfafc570fbd43a98817b7314c9a1da62a69dc8c4c3a98b4f4b4e0c153b3c7ea535cd8fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
40KB

MD5
e9fec46f673c633c616bb69229ffdaf9

SHA1
71f4939b1f10f0b6c2d380d4a3520805357b4795

SHA256
679c2d3a597101c26c15c276c09fda6f960866e161f43c9e03383e1349ae8ab2

SHA512
6a9c74f5713b9be6363edef617db818e76042d31710af0ab6b73b5cc41dbb766520ef763a85acd19886557a52cdb7e9d31b4fb22f0e0af8c3c4a22f9cc978e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
99fe4c9f4470579dc144d22976da68b1

SHA1
ee23580e22256811fc2e52f877ac9d76556df3da

SHA256
d2373171742130ff41ece33029a6539561f5feca87e6828dd40ec04378e4db5d

SHA512
051614f973440046c61c245dde2fcc8e8bf30d41a6a86ecbf45de7761450b3e2d7caa08c3342ac8aae883fbb2d27661686ea22c38fb137492ce5251eebcb7bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
469aaf7b34bf53ada013dcb6343641dc

SHA1
0569064a1d7f18dfc64eb4bc18b466fd73a1e082

SHA256
41d3c0d1d52dce77bd30ad9900b5633c10ff34124e1f13bc26d2ea2e0d5423b3

SHA512
ad125a32defeb680fd8e12237c8a831d648808fa2650fec1d3759b0340ca297cf90582db410f39d6757a2e7a10ce3af4f9247fdddeb82ae6a2b1e54ed6865c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\product.dat

Filesize
61KB

MD5
5bba5354586689cb44b827bed6b37964

SHA1
77b6e8d6123a3fe4b811931b2f242a85aa04a470

SHA256
18e56f52618b0b616a971f5e0dabbfeb85b33bdb37b2a5662e29c8d2949f344a

SHA512
1e828b213413053631b7eba30469ff35752e6d206a7dad8707ad31916f2559aa9dadc91f14ca92e1d91f866dee92e396c87756366b36e37a861f2fe55640b825

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
368B

MD5
d7ef6f360229cf751b1bb9fcb776eb7d

SHA1
5fa106b67d74d783290e37e23d72fe95ef36cb42

SHA256
48228b8bc9cd327e980b4a8a91ec205952442789e5ec9c4b984628a81c1d1962

SHA512
f87d9f91a319630a4fe3f05e91e35beacd209e299a9ef401ff253b0c67c48f12b832583d41011fc3879bb1455aad86448fb5292efe43f639829fe404e9b33768

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
414B

MD5
b287d41456dd89914ef14a33cb0fa26e

SHA1
c3954435bdd0f8215a1c931db725c6663190e20a

SHA256
d21e50e16e021ec5b05df4a77bae6a587990b91e0c7acfa0c2c633e3309aef1c

SHA512
80402030afb64a37259a1e15a4da9a4922a7076e76b0fb0d8060e66ff8f0ed163413de6d8628e430b3b80dffb2badd8fcd9bffff192fb289cf9648497a981b26

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

Filesize
890KB

MD5
03e2f8d4bba19a6c906b2675f5489f3a

SHA1
114cbaa43e2b1d044235389bc03183957cc189bc

SHA256
a41200398ddda750d1b3cec0e098688de49ae588f2f28526de67836d7ca9ffec

SHA512
2eebce96c539a2c1804bee425bbdaf5c9ffa652d8e36f89bc34d5b6c8fe6d18be29dbb23ac37c851627daf001b38c51d862ddd3f82425404f8b3e506b9574f7f

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2023_07_01.log

Filesize
4KB

MD5
7ef30c623590b1750cca0877cb149098

SHA1
c9ca4a9932e70825bc22ed65b91060e472964c63

SHA256
b44802fded060509ce6b99909da2f5a49fd7b7652f2afa065d52f2cced2b0d16

SHA512
ac7d19a6b9af707d7c4a75aea72a4497e27d30dcf4a357a1312cbb832c146f0f6309a0f721f81360b5b4db1f1913cd6d1f1ae515b78cf91308d9d8d7e3f227dd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
33KB

MD5
a79fd85a4cbf909487ab1cb531703db6

SHA1
8dc4f399d3661daec3f0736315f2d5625d0208d1

SHA256
8d427f95852bcf5d5f10187d22b35b44549cf8af97efb23f4f24ff7bd807e9f3

SHA512
023cd2e92b1b45bf2bf6952aeac499bb3b8f57cdedef1799abe821f190aafd9797d440e7d4b591a557578bf2d3fbac7f9aeba0b9bac4ece58e5245c2db36635b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
33KB

MD5
a79fd85a4cbf909487ab1cb531703db6

SHA1
8dc4f399d3661daec3f0736315f2d5625d0208d1

SHA256
8d427f95852bcf5d5f10187d22b35b44549cf8af97efb23f4f24ff7bd807e9f3

SHA512
023cd2e92b1b45bf2bf6952aeac499bb3b8f57cdedef1799abe821f190aafd9797d440e7d4b591a557578bf2d3fbac7f9aeba0b9bac4ece58e5245c2db36635b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
50KB

MD5
ee2010418102cc6f26cbb2bd16e164e8

SHA1
d2bcab8ae8d6f54366a93480e3378877cc3f45f2

SHA256
082f618f21e22e9c9552a9d99967eca594f542700b2d0fedba651c1550147fd5

SHA512
98c2ac95e93ab75ca6225ac597c3b4a8adb52955dc171b858075cb866c3d470b744b8b9f193b4e6152beffa1cb4454a216c6c94e5099ceff648ee8083127e7b3

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
69KB

MD5
a7d36aee5c89bb42ce6e19a1cc95283e

SHA1
f8f314cc6e954b0c83f3d1360ba3f6485a10394c

SHA256
cb0c194cc952d49e4443cdd04839296a6d2cda595ea09e31bb79884a4f1d8336

SHA512
ca442850b5f747146f47a2b4345693049ee2a2642f85971af2aea6e969d41a8b1e44991eede7b67242f0b2688ece14809402b7accad1780dc1bd8f8c51cb2863

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
69KB

MD5
a7d36aee5c89bb42ce6e19a1cc95283e

SHA1
f8f314cc6e954b0c83f3d1360ba3f6485a10394c

SHA256
cb0c194cc952d49e4443cdd04839296a6d2cda595ea09e31bb79884a4f1d8336

SHA512
ca442850b5f747146f47a2b4345693049ee2a2642f85971af2aea6e969d41a8b1e44991eede7b67242f0b2688ece14809402b7accad1780dc1bd8f8c51cb2863

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_eventv3.db

Filesize
16KB

MD5
3533d8a1e13ffe8ca6b01c2dfbefb167

SHA1
d32179d743a69cc90393c6457087c62c6e8dbcd1

SHA256
f77cb512848a8c43e524f9940d68a70bf6b189ccec545b2846aa40155d2edcaf

SHA512
8073d3d0a7bc33c2be542d5a9bada39b2757500b2065df06eb18a0f25615cfb69a587f26832c66f8d7f7c41690ab2c5e06aaeff63146a0f4aaab36ddeb779baf

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
7bb955e6013146cecfe90212d5ae3769

SHA1
d9d7f0afe1c77e30ec9b7d70a8a81d9c201c9f8d

SHA256
17c5ec9b2778f0b4cbaf51c23395f089b6fd8fddddc1e416b047402cc0c1427a

SHA512
dd2f5f1872ef5a3a139524833a1d60f6da47b81762bb6212c44e8b38744805d79e56fac314196cba6ab7e5e898e06a29b51525c05e28898587d77a1cd073f600

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ksomisc.exe

Filesize
2.4MB

MD5
b9d13c9ead5913f8320bdc2f3bb2be07

SHA1
47c1f8fe2d7914a1177b0adc3a2ba6bb6aff21ba

SHA256
eedcc14d9678b7d7d698584e4173aca2055580f2e6dfc51dc8f61f4b91333721

SHA512
d9ef6ab8ae4b2cd5db049d4c7ec0cb01dae7033ca66bdab58705d159d7121e20c08e337a888ec57b638e316976a2ab8489e379d96fe7c2cc27fcf4be436c35fb

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
d470842373eae4d297e6b2b45c6c35c2

SHA1
c0a360cd83a91b44ce6b43fe1c8f722ab0ee44ae

SHA256
aeb99c5e0cd2f44b536abd516da183f99199d0410f2cc4bab018c08747c5619b

SHA512
1db11b312d65673bf7cabe7d6203019e4e05ae7458b5377bbdad832cd553582464a0273786cedea4af063b8e742a0a577aad297365b1b652b926b5c6ff22ff45

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
267a544673fa4f20e216c1f40480f559

SHA1
bbf8d6eedbf189730fbc1026ab5309e1632adf0e

SHA256
e38432b64ffd423da056818f9937b6b37f75a3239622b8e6c71e47d80350446b

SHA512
96e769ef61c522ef2a21d238eee2aa6d866f85904a0140c62ecdf58620188f2e248c4f821cc3a3b6d4e7a6476e779d80d2bf4f144fc21ca01f8a29022fbdc662

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5SvgKso.dll

Filesize
363KB

MD5
b5766985090bf271cf853dfda5015efe

SHA1
3354c768373c40ff75ac8caa6ae474b21dd4d32f

SHA256
3fcfc50b5c42206442b66cff3f47f9c78627a325edd5a29aa70820f355345537

SHA512
6b279705f779a30db0029f568879b2aeae97c0499753fc57c45d103081f71658ee95b7698a9e0183ce6be1dba1b42adff93a5b57108034e337a9287e3990dce3

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.4MB

MD5
c10ebd510045643f3ab7f999b9a41e72

SHA1
cd437fdef5cd12a309ff64ac3be0dd7e11e3b776

SHA256
5e40b53733105e98ad2914bfb2f0dda52e3b9b3c87d82bf4ff092f1bed25cd13

SHA512
e20e77f54194de3552ee0327083f411644efdb25fb43e2363dd6edcbb9c39dad5064be6dfffe415689569feb11f2e8585369505582b6dc08480395cf2ec12a17

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
392KB

MD5
b1cfe29f66b39644369276b8014915b3

SHA1
a572ed3b9f7de4a0aeaef0a745fb62f6e2ae9b4e

SHA256
7ed3c859399f4753789f79a2e25b8462268bbd59091a2ac456e36e1e153c214b

SHA512
f151ef444bdc7881c779e6a1c45d91d6ab1e18d8aa3aacf3365ce75dab69ee9a1d88be5ad7f5cdaa28405daf784cf44d35b22b559ba5124baed03ffd64f6d08a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
f48c0dc24aa44869350b4e43879dd073

SHA1
4d219d304ca26f8ad5c81ef5f3abb713a6db861b

SHA256
11b3926d25811fe0275254b3de20a0a6819de1f3dabd5c89cbf9661a9fbb88bb

SHA512
8c65b8b1af3320739f465fae2eb4d417f832ed9de7d260a9d13e776ed06570397f34444a6f745b59bae2133dc1f67459c689f02db0791878433643c373d3db80

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
60KB

MD5
d9a1df4f3880d672eb6ec3cc5fbeccdc

SHA1
2059d967cd8020232d509159c67677875cc96b28

SHA256
d2b170e55d6da0a3e951fee4b0792ca49197d202a8cfd62833e141a07154236a

SHA512
dfa866191da584e2e42cdb74886a4f00e32123f296964fb8700bf708cfafc570fbd43a98817b7314c9a1da62a69dc8c4c3a98b4f4b4e0c153b3c7ea535cd8fd0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
40KB

MD5
e9fec46f673c633c616bb69229ffdaf9

SHA1
71f4939b1f10f0b6c2d380d4a3520805357b4795

SHA256
679c2d3a597101c26c15c276c09fda6f960866e161f43c9e03383e1349ae8ab2

SHA512
6a9c74f5713b9be6363edef617db818e76042d31710af0ab6b73b5cc41dbb766520ef763a85acd19886557a52cdb7e9d31b4fb22f0e0af8c3c4a22f9cc978e7a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
99fe4c9f4470579dc144d22976da68b1

SHA1
ee23580e22256811fc2e52f877ac9d76556df3da

SHA256
d2373171742130ff41ece33029a6539561f5feca87e6828dd40ec04378e4db5d

SHA512
051614f973440046c61c245dde2fcc8e8bf30d41a6a86ecbf45de7761450b3e2d7caa08c3342ac8aae883fbb2d27661686ea22c38fb137492ce5251eebcb7bbd

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
469aaf7b34bf53ada013dcb6343641dc

SHA1
0569064a1d7f18dfc64eb4bc18b466fd73a1e082

SHA256
41d3c0d1d52dce77bd30ad9900b5633c10ff34124e1f13bc26d2ea2e0d5423b3

SHA512
ad125a32defeb680fd8e12237c8a831d648808fa2650fec1d3759b0340ca297cf90582db410f39d6757a2e7a10ce3af4f9247fdddeb82ae6a2b1e54ed6865c78

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~6cc1e9\CONTROL\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
\Users\Admin\AppData\Local\Temp\wps_download\d53c34ec4d567b511be68047e6d4de5c-14_setup_XA_mui_Free.exe.601.1098.exe

Filesize
214.1MB

MD5
b17cae00909c13dba27a244449524ae0

SHA1
37c6f056e0032bf91317b7060f59a963da09cdae

SHA256
9f7d122ebc144dd69c144660104bcbf613088c22a8f173bf5599e9e548c50b74

SHA512
47965047ad86fa725835f3542d3366a412788a1ce7db2c4113f02e4e19708b99c0d7e7c2c99a8340a13fe2fe8c25221eef3cf0a456d0f78c8d8634e000df5de3

Download Submit
memory/544-4463-0x000000006DB60000-0x000000006DB70000-memory.dmp

Filesize
64KB

Download
memory/544-4464-0x000000006DB80000-0x000000006DB90000-memory.dmp

Filesize
64KB

Download
memory/980-4434-0x000000006E1B0000-0x000000007115C000-memory.dmp

Filesize
47.7MB

Download
memory/980-4435-0x00000000373F0000-0x0000000037400000-memory.dmp

Filesize
64KB

Download
memory/980-4455-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/1536-222-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2004-4428-0x00000000373F0000-0x0000000037400000-memory.dmp

Filesize
64KB

Download
memory/2004-4427-0x000000006E1D0000-0x000000007117C000-memory.dmp

Filesize
47.7MB

Download
memory/2040-307-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2060-4465-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/2060-4466-0x0000000037160000-0x0000000037170000-memory.dmp

Filesize
64KB

Download
memory/2280-4506-0x00000000373F0000-0x0000000037400000-memory.dmp

Filesize
64KB

Download
memory/2688-4602-0x00000000373F0000-0x0000000037400000-memory.dmp

Filesize
64KB

Download