50a0e8a5715aae63bcb3826943d098fa4452bbbb5c25ec1c89e80197c0c1444a

Analysis

max time kernel
96s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps_lid.lid-s8Ck0sxDWC9r.exe
Size

5.5MB
MD5

5a04ccc69dcb6542a6205cb8b0f2637c
SHA1

a23f6b826b876884625a668611e1c9f817f26f46
SHA256

50a0e8a5715aae63bcb3826943d098fa4452bbbb5c25ec1c89e80197c0c1444a
SHA512

8f6685102bf72678b1d1caae479d92db329cbfce2149f76bbbe1b4dbbda57cec6aa526ec5a88b787161a0bb707f3526f576a146cc0b13799513fb9c1bea0ee58
SSDEEP

98304:P3stJARnrlGCG8z1Anqn4UHw//4ENvIPpHdVorLu4TK/O4FsO:kjQnRT1MEzH4vItor64SD

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
69	864	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wps_lid.lid-s8Ck0sxDWC9r.exe
File opened for modification	\??\PhysicalDrive0	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
File opened for modification	\??\PhysicalDrive0	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wpsupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wps_lid.lid-s8Ck0sxDWC9r.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wpsupdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe

Executes dropped EXE 17 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4500	ksomisc.exe
3580	wpscloudsvr.exe
4488	ksomisc.exe
4588	ksomisc.exe
1260	ksomisc.exe
8	wps.exe
3876	wps.exe
1884	wps.exe
3356	wpsupdate.exe
4588	wpscloudsvr.exe
4356	wpsupdate.exe
1260	wpscloudsvr.exe
5096	ksomisc.exe
3608	wps.exe
1544	wpscloudsvr.exe

Loads dropped DLL 64 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
5100	regsvr32.exe
2588	regsvr32.exe
8	regsvr32.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wpp.exe /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32\Class	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\et.exe /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\et.exe /Automation"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /Automation"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wps"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /et /Preview"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{A1BBCFD9-B54C-443D-BC56-0BC3840120DB}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wpp /Preview"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\kmso2pdfplugins64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32	ksomisc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360039005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{0C7FEF07-DCD9-4120-9647-D1CE32F289CD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wps.exe\" /prometheus /wps /Preview"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\refedit.dll"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /et"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.169\\office6\\wps.exe /prometheus /wpp"	ksomisc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000209EF-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000208B9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{00020980-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{D36C1F42-7044-4B9E-9CA3-85919454DB04}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{00020921-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{00024405-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WPP.POT.6\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\wpsofficeicon.dll,30"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000C1711-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{F08B45F1-8F23-4156-9D63-1820C0ED229A}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{00024420-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000244D9-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{00024456-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{55F88892-7708-11D1-ACEB-006008961DA5}\ = "ICommandBarsEvents"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\TypeLib\{00020905-0000-4B30-A977-D214852036FF}\3.0\FLAGS	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C0357-0000-0000-C000-000000000046}\ = "HTMLProjectItems"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{79635BF1-BD1D-4B3F-A520-C1106F1AAAD8}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C0370-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C0333-0000-0000-C000-000000000046}\ = "PropertyTest"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0002088B-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\DefaultIcon\.ksobak	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000209FE-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000209A6-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\KWPS.Template.9\shell\open\command	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{AED7E08C-14F0-4F33-921D-4C5353137BF6}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0002091B-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\KWPP.Presentation\CLSID	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "LeaderLines"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0002E131-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C1724-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000C03C9-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WPS.PIC.bmp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16909\\office6\\addons\\photo\\photo.dll,1"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{50209974-BA32-4A03-8FA6-BAC56CC056FD}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{67A7EEC5-285D-4024-B071-BD6B33B88547}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{00020960-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000209DF-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{91493473-5A91-11CF-8700-00AA0060263B}\ = "SoundFormat"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0002443A-0000-0000-C000-000000000046}\ = "Shapes"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000C0369-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000209CC-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000208D4-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WPS.PIC.ico\shell	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{91493485-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0002446B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000244D7-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C0913-0000-0000-C000-000000000046}\ = "WebPageFont"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{7CCE8E1F-0043-4118-81EC-66DED46FE832}\ = "_WpsApplicationEx"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{00024429-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0002E116-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000CDB0E-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0D951ADF-10A6-4C9B-BCD9-0FB8CBAD9A87}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{000C037C-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0002098E-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4654}\DefaultExtension\ = ".et, WPS Spreadsheets Workbook (.et)"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{0002085C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{00020897-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000C0317-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{000CD6A1-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\FlightRoot	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\FlightRoot	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TestSignRoot	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TestSignRoot	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	wps_lid.lid-s8Ck0sxDWC9r.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	wps.exe

Suspicious behavior: AddClipboardFormatListener 10 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4500	ksomisc.exe
4488	ksomisc.exe
4588	ksomisc.exe
1260	ksomisc.exe
3356	wpsupdate.exe
4356	wpsupdate.exe
5096	ksomisc.exe
3608	wps.exe
1544	wpscloudsvr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
3580	wpscloudsvr.exe
3580	wpscloudsvr.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
3608	wps.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Token: SeRestorePrivilege	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Token: SeRestorePrivilege	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Token: SeRestorePrivilege	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Token: SeRestorePrivilege	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
Token: SeDebugPrivilege	4500	ksomisc.exe
Token: SeLockMemoryPrivilege	4500	ksomisc.exe
Token: SeDebugPrivilege	4488	ksomisc.exe
Token: SeLockMemoryPrivilege	4488	ksomisc.exe
Token: SeDebugPrivilege	4588	ksomisc.exe
Token: SeDebugPrivilege	1260	ksomisc.exe
Token: SeLockMemoryPrivilege	4588	ksomisc.exe
Token: SeLockMemoryPrivilege	1260	ksomisc.exe
Token: SeLockMemoryPrivilege	3356	wpsupdate.exe
Token: SeLockMemoryPrivilege	4356	wpsupdate.exe
Token: SeDebugPrivilege	5096	ksomisc.exe
Token: SeLockMemoryPrivilege	3608	wps.exe
Token: SeLockMemoryPrivilege	5096	ksomisc.exe
Token: SeLockMemoryPrivilege	1544	wpscloudsvr.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
1260	ksomisc.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe
228	wps_lid.lid-s8Ck0sxDWC9r.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4500	ksomisc.exe
4588	ksomisc.exe
4588	ksomisc.exe
1260	ksomisc.exe
1260	ksomisc.exe
3356	wpsupdate.exe
3356	wpsupdate.exe
4356	wpsupdate.exe
4356	wpsupdate.exe
4488	ksomisc.exe
4488	ksomisc.exe
4488	ksomisc.exe
3608	wps.exe
5096	ksomisc.exe
3608	wps.exe
5096	ksomisc.exe
3608	wps.exe
3608	wps.exe
3608	wps.exe
3608	wps.exe
3608	wps.exe
1544	wpscloudsvr.exe
1544	wpscloudsvr.exe
3608	wps.exe
3608	wps.exe
1544	wpscloudsvr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1256	228	wps_lid.lid-s8Ck0sxDWC9r.exe	86
PID 228 wrote to memory of 1256	228	wps_lid.lid-s8Ck0sxDWC9r.exe	86
PID 228 wrote to memory of 1256	228	wps_lid.lid-s8Ck0sxDWC9r.exe	86
PID 1256 wrote to memory of 3580	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	93
PID 1256 wrote to memory of 3580	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	93
PID 1256 wrote to memory of 3580	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	93
PID 4500 wrote to memory of 5100	4500	ksomisc.exe	94
PID 4500 wrote to memory of 5100	4500	ksomisc.exe	94
PID 4500 wrote to memory of 5100	4500	ksomisc.exe	94
PID 4500 wrote to memory of 2588	4500	ksomisc.exe	95
PID 4500 wrote to memory of 2588	4500	ksomisc.exe	95
PID 4500 wrote to memory of 2588	4500	ksomisc.exe	95
PID 2588 wrote to memory of 8	2588	regsvr32.exe	101
PID 2588 wrote to memory of 8	2588	regsvr32.exe	101
PID 1256 wrote to memory of 4488	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	97
PID 1256 wrote to memory of 4488	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	97
PID 1256 wrote to memory of 4488	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	97
PID 1256 wrote to memory of 4588	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	110
PID 1256 wrote to memory of 4588	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	110
PID 1256 wrote to memory of 4588	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	110
PID 4268 wrote to memory of 1260	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	112
PID 4268 wrote to memory of 1260	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	112
PID 4268 wrote to memory of 1260	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	112
PID 4500 wrote to memory of 8	4500	ksomisc.exe	101
PID 4500 wrote to memory of 8	4500	ksomisc.exe	101
PID 4500 wrote to memory of 8	4500	ksomisc.exe	101
PID 8 wrote to memory of 3876	8	wps.exe	102
PID 8 wrote to memory of 3876	8	wps.exe	102
PID 8 wrote to memory of 3876	8	wps.exe	102
PID 8 wrote to memory of 1884	8	wps.exe	103
PID 8 wrote to memory of 1884	8	wps.exe	103
PID 8 wrote to memory of 1884	8	wps.exe	103
PID 4268 wrote to memory of 2064	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	105
PID 4268 wrote to memory of 2064	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	105
PID 4268 wrote to memory of 2064	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	105
PID 2064 wrote to memory of 2420	2064	regsvr32.exe	106
PID 2064 wrote to memory of 2420	2064	regsvr32.exe	106
PID 4500 wrote to memory of 864	4500	ksomisc.exe	107
PID 4500 wrote to memory of 864	4500	ksomisc.exe	107
PID 4500 wrote to memory of 864	4500	ksomisc.exe	107
PID 4500 wrote to memory of 864	4500	ksomisc.exe	107
PID 4268 wrote to memory of 3356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	109
PID 4268 wrote to memory of 3356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	109
PID 4268 wrote to memory of 3356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	109
PID 3356 wrote to memory of 4588	3356	wpsupdate.exe	110
PID 3356 wrote to memory of 4588	3356	wpsupdate.exe	110
PID 3356 wrote to memory of 4588	3356	wpsupdate.exe	110
PID 4268 wrote to memory of 4356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	111
PID 4268 wrote to memory of 4356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	111
PID 4268 wrote to memory of 4356	4268	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	111
PID 4356 wrote to memory of 1260	4356	wpsupdate.exe	112
PID 4356 wrote to memory of 1260	4356	wpsupdate.exe	112
PID 4356 wrote to memory of 1260	4356	wpsupdate.exe	112
PID 1256 wrote to memory of 1904	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	113
PID 1256 wrote to memory of 1904	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	113
PID 1256 wrote to memory of 1904	1256	ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe	113
PID 4488 wrote to memory of 2976	4488	ksomisc.exe	114
PID 4488 wrote to memory of 2976	4488	ksomisc.exe	114
PID 4488 wrote to memory of 2976	4488	ksomisc.exe	114
PID 4488 wrote to memory of 820	4488	ksomisc.exe	115
PID 4488 wrote to memory of 820	4488	ksomisc.exe	115
PID 4488 wrote to memory of 820	4488	ksomisc.exe	115
PID 820 wrote to memory of 1760	820	regsvr32.exe	116
PID 820 wrote to memory of 1760	820	regsvr32.exe	116

C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-s8Ck0sxDWC9r.exe
"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-s8Ck0sxDWC9r.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
  C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3580
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_E584438
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"
        5⤵
        Registers COM server for autorun
        
        PID:1760
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -sendinstalldyn 5
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4588
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    PID:1904
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5096

C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\ca53b1e390dcdc2ae376a28532674862-14_setup_XA_mui_Free.exe.601.1115.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -msgwndname=wpssetup_message_E57BDB2 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:2420
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" /from:setup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:4588
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpsupdate.exe" -createtask
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:1260
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install_onlinesetup
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3608
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1544
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getabtest -forceperusermode
      4⤵
      PID:5060
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -getonlineparam -forceperusermode
      4⤵
      PID:748
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing
      4⤵
      PID:4624
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing
        5⤵
        
        PID:4444
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing
      4⤵
      PID:1248
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing
        5⤵
        
        PID:224
  - - C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.9\chromelauncher.exe
      C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.9\chromelauncher.exe install
      4⤵
      PID:4048
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll
      4⤵
      PID:1108
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2024.3/kwpsbubble_xa.dll
      4⤵
      PID:2776
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe
        
        "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=2060 --field-trial-handle=2156,i,8313839590670826705,11054564757873243011,131072 --disable-features=TSFImeSupport /prefetch:2
        5⤵
        
        PID:5812
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe
        
        "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=2640 --field-trial-handle=2156,i,8313839590670826705,11054564757873243011,131072 --disable-features=TSFImeSupport /prefetch:8
        5⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2776 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3064 --field-trial-handle=2156,i,8313839590670826705,11054564757873243011,131072 --disable-features=TSFImeSupport /prefetch:1
        5⤵
        
        PID:5976
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv
      4⤵
      PID:5448
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe
    "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=3304 --field-trial-handle=3448,i,9647205260297547294,809583170043831025,131072 --disable-features=TSFImeSupport /prefetch:2
    3⤵
    PID:4920
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\promecefpluginhost.exe
    "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --mojo-platform-channel-handle=3836 --field-trial-handle=3448,i,9647205260297547294,809583170043831025,131072 --disable-features=TSFImeSupport /prefetch:8
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3608 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=4108 --field-trial-handle=3448,i,9647205260297547294,809583170043831025,131072 --disable-features=TSFImeSupport /prefetch:1
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3608 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3840 --field-trial-handle=3448,i,9647205260297547294,809583170043831025,131072 --disable-features=TSFImeSupport /prefetch:1
    3⤵
    PID:612
- - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.169\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjkwOVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3608 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4176 --field-trial-handle=3448,i,9647205260297547294,809583170043831025,131072 --disable-features=TSFImeSupport /prefetch:1
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.136/kdocreminder.dll
    3⤵
    PID:5188

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -installregister sharedMemory_message_E581C7C -forceperusermode
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins.dll"
  2⤵
  - Loads dropped DLL
  PID:5100
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kmso2pdfplugins64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    PID:8
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16909/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=8 /prv
    3⤵
    - Executes dropped EXE
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  PID:864

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" LocalService
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe" -regpdfwspv
  2⤵
  PID:612
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll"
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
890a5bf085167cf3aee0f4d57b7e05b6

SHA1
1bbfe7ca2cf0678b433790289cdc7db57d68e36f

SHA256
7d16714b843343e370ec36bda4a058280ba3528636c57a085b168c979f1f48c5

SHA512
e44385e82c2a85a63d3860f590003d9d42d2343a78e9501541208363e3ff9c76f46bc25f36fb7f326b13143fd259dfaac71e49caa7f0edf02c35d1f479627c4f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\Qt5XmlKso.dll

Filesize
169KB

MD5
2e98c97ebf1a60c666d5052f33df4e35

SHA1
f09d55a5658e5b549378af28d698364663091101

SHA256
56b9e2981c0bdb628bb9b69c2266724695bdfcbbc0903528fbc6e7f415b1cf9b

SHA512
7687f06c3450b45d1c278b1630c00fb3a16f064ee1abc5a4026ccb90e19f2f2a61ec338653ae8b4a5629f2572dbe1c18a612628c71a81875cabe565aae2c3421

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

Filesize
198KB

MD5
b4b4c703bf5c6c0b5e9c57f05012d234

SHA1
929aee49e800e88b4b01f4a449fa86715d882e42

SHA256
910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

SHA512
2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\oem.ini

Filesize
67B

MD5
223673e5e8d77083765b70ddf7a0f7f6

SHA1
3b5c4d6304ed6ada0ec607f44a2aace24ec16126

SHA256
9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82

SHA512
62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\cfgs\setup.cfg

Filesize
433B

MD5
7d78a2449b45fc839f125b47b637bed0

SHA1
29528d84082fe773bbd0570629437ce66d9125d7

SHA256
45cff35c455d94d3832155bd0f7725d7f2734818e688258f033576d0e54cd5b5

SHA512
06b74bf4c906c029b3005ba600d02bd7815b4b14e4795548a89ead1669cd87a83ad00a4f4adbdb5414f73db1ebd0697b0f91029fb07ed6894e9bcbf833263a03

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\kbase.dll

Filesize
55KB

MD5
313c37e93083938c611b550fd2eb0c84

SHA1
a6fae473ab22d163feadd942f1e91bbb41c7e4f1

SHA256
502e848bed07fb2d9d8588cd0bfd38e349c6043f9bc44d23cf01e566db46066c

SHA512
c5239971b447e2a4fc63c10f542c9927c1a72af2809d48a09ca9dafeb50d9f1a736c208dd187b34b5415640819594f4599b06c5a93f7815ca6e6c2fc668e01ec

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\krpt.dll

Filesize
86KB

MD5
f5f21888065a3972afd5758c74ee54e6

SHA1
e4e96da5b12d2e5576500659e9196439b08f5140

SHA256
2ba88cdca118999fa1f2e119de77d6324b16a0bd22997512d079d400cc6ef84a

SHA512
620120e00807775b1e3169389dd9baf26c48d3646f927594543055bebb00c81b81d4527549351ef7e7cccf8111d350feeeabbfe44ca434dd0ef57a7b2fb861b6

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\krt.dll

Filesize
953KB

MD5
8074812fd986ca2116c219e35f1c62dc

SHA1
e9f72fad47ce94f3306d685a76483b013530916a

SHA256
bd346ef9c4f0118b841e9d7d0eb49749cb81bd2b549365c9be394046d956be71

SHA512
39332fd5084e497cd4998f6e18b3706f324d7b7f16eef7afecee126bdde28edb8d4897ffd204f4e40539001717bea2b08073fa2298dc3ef03f0fba6919cc24e8

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksolite.dll

Filesize
9.3MB

MD5
469c2a814a3bc35c804764de29d30a84

SHA1
743c41835dd57a8ddf31ad0066ee07a541e21c27

SHA256
a04c4ebecf0dfe46bcd113726edb3ccb46575d655318283a88c02f75da6c1c32

SHA512
d08a0c990eb34fc58421e8f48c98d3c9a047814c73e46d71165e8beb5243191d56afa2179fac62da7ffd5555bcc22b447a4f6fb7595c6c66a8f80910b64439c2

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksolog.dll

Filesize
211KB

MD5
0a684b21acb673e7e7e4f62a12698458

SHA1
01d1240b399bf556abf8f8f50f7d94447013d063

SHA256
3bdce9ad8bbf953217a8f5968deb12a056e04f351029d3a6288cf4d31e4c5302

SHA512
d049f53cef514c1ea5513fbd5174a7019d1e9f058ccc9d246ff1d1fd93a2bb577978c38ffa798a0ed3bb395556daf850c7be0784755c0236ddb0d5cc9e1fbc28

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\ksomisc.exe

Filesize
3.0MB

MD5
75742bbf10df9fa3be5b48a5aa0b7a0f

SHA1
431d42986fd9d198c0edd3555991ad8b7be68822

SHA256
de198d6174ec79954964fbc1cf758e4e42f323615492540cce90d1f4432da226

SHA512
e5219a3ca7b4c9eb791128ca905b653cebfad4df751282ca1f0f28b5d026d5b24c420b4ee00c09e53106c6059e20ac9c2581e4997674accd892f5a76d05bc3ac

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\qt.conf

Filesize
271B

MD5
351fdc16f8e5ec3105aeb289397a06bc

SHA1
115bcf3e66703597ef4fb42acbdf3be37fff221b

SHA256
b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8

SHA512
4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
b120a3c32571f1ea2da38aa7bc3fb65f

SHA1
652d1cc2759e96df7c668b78501a609af5a6a045

SHA256
23168a629ec4bd8ab76ef93d32318d70643b0b7714f5be9534190075232fce49

SHA512
29283cc3be5f7609f921ef721366f55238456c8c0f574af30c65f6fb266ef699e09316aff5ec6d14b31090ad7f0e6d516d18f9a144df8317b0df0d71e81e7dbf

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\office6\wpscloudsvr.exe

Filesize
957KB

MD5
144c48713c3dcf8961602bc008bc0fa3

SHA1
47fe6c8e5d35cda6092d2aa1ca119b3b097858e2

SHA256
9ab28c6f66d8900a2f3b3d78c0f1ea6cc1abd55e86c17422c0632997800ac846

SHA512
0209e683ca66750e9ba44e47da08a67017bf460e669e7d36998e5504ab8114c8004760457a503c447eb890a0e05fc82cc69b713cab4062a815176be3fb3721a8

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

Filesize
530B

MD5
0be87878bccdc39958a0406f9a33ef7d

SHA1
79cfa6a1f07b531fb7faf1be0352cf96333ac909

SHA256
23a9e27273dd180b16aa64cbc23502885ddbe2c1608509fc28cefdc19e2353b9

SHA512
f48569f8f9163a47473f918b533fdf36347ae0ed751a27025c20eac3cc2bf3be342844ced15774fabddf4232433f9a37c487bbe11bda509c922602a06dac92d8

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16909\utility\install.ini

Filesize
675B

MD5
80874ee5694f7c6b0319cf021cd384ab

SHA1
0121d759b81d39b06ce8f8b0cea8f4377c2b874c

SHA256
3b55564dbd0a88cafd3a201300999d24f955f71dc06471fb6fbf3271de1c3fc7

SHA512
9cbcb728aedf9304176b093d51b66e003904a9449cc87546236248c30424c09343029b33edfb10628fb09f2201793bdacd84774ac0d0f215b39636eb60d602a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
ba5dfeafa73c5f86e5fa95b2f63a644b

SHA1
bbaf3d432a3ad9c3799402889e6ff492766efc6b

SHA256
d9e7c194b78c2a793e8a6155aec88486a2494e140ac4cc0f10e1828a0389be1b

SHA512
7688d2b6a2f50c1cb88ee8aabc80a213eb2dba12120b54354578b39b6f23cbf919a9962454574955231917e7503bfcf33eadf422fd2222c28103f659845a401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
8104fdcc2caa3b42b140d8498eae6cfe

SHA1
1413352da713c786d1ff9be2eddda36a8245a8e5

SHA256
5a3ea2eee0535589b0de2c1468891c2285570136257261eb50c2744bf5d8fc9e

SHA512
20f83309437afc57bd4ef58d48c54c229482fd10e3b0e7e93bc8ec637dabb6ce7b6ab67942d97a35b0ff7c8694d054fa3f87a0050c04678509be99cddfaaf675

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
cd71405fd88a13daeaadc9122878f294

SHA1
2eb6ca95ede0507b7fd0fae164b34cebb61dd639

SHA256
39963edad28df386ae535070b20371a5ba4de445912df1b1cabff915c82364cf

SHA512
d573962fd3f15f6701477b328d3395a5e4c78fd847e5e7123ab7d58d5e3d51d959765f16e6848fd879e0c527ccdb115aa312074905380a3ac4881dbaca316fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\Qt5SvgKso.dll

Filesize
378KB

MD5
74f1aae0ad9c77088879f0f068603b14

SHA1
4dc66aca99fca616801e7e1e08eb61e87ad65ef0

SHA256
6bf93e0575acec1c1bccf7e4d33a4c9a4f12c51811c41ed695115bcc60081d4f

SHA512
dcabee00b11db242552827663bd8eaba89bb94e4ed2f02793467c21630124074acdd1d55682a56d9b5875b3626ccff99cbab666ebdc8820d1bd4d058ce1ca029

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.4MB

MD5
4cf25152e7fdc3863d35ab01ed7e5f95

SHA1
bcf5d327cbd6d6b3903d47c63516d81f56361229

SHA256
c70e1ad07aa161eb6dd42fe5109c910ea358935c653c0082654f6810df844b5f

SHA512
706d2edb3c9f4a32554cf07d5faeaa2b7aa8d22f0f0c0076541efd73e093387dd264026dcbae7b790cafd260257288449048df7b277f8407278bf127da669a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
445KB

MD5
b3843e058782a993918045cb73d84e25

SHA1
dbbc24f2da2e5b9b94a00aa41c08935be184c12d

SHA256
aa696dc9058ed7987675837be2601edd28306a42153d5112dacc9b156a1fceb1

SHA512
3c237aa06409d774f6bbd3aa1116677a39f5f8f166dfcfa2fecab9d266f5b247bb9d2d623ce780631f857366059ce204912c039c7b5352cd2d5a7cbfb748a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
3579da0e10644a74953f6158456b7793

SHA1
75007a9ac779d65dab95aeb8166b328d7f542af2

SHA256
520279e5806416e7f64809eaf0c6570d04e5c4d2e9ba912b53f7288639a5dc19

SHA512
8f46bf067495ea812ba515b820537dc39878e1486259365a414ed05fb47e28473b13cc2c2a939c772c1ef34f551d9b003445b6bd0210621a8d1dd8aeaa16df80

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
74db79ac13ed0fff6188bc715c885d1f

SHA1
550dc1e295285ff5b9f0af44bdf7df6504c08de2

SHA256
ea52c2e5a544634cb9c3af20eb4ef25cc6d572d606e88c7427bfbfc7f3706aa2

SHA512
dd7a2d90bfe6103e0aa72eac8e5669fb6a18d0b88fb5da5ec42002ff2f5bdcc7bf733f1d3ed6b64e74f109eeb8463cc6a176cff30520f899729ce0e0bfe9f52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\msvcp140.dll

Filesize
439KB

MD5
5fd0772c30a923159055e87395f96d86

SHA1
4a20f687c84eb327e3cb7a4a60fe597666607cf3

SHA256
02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

SHA512
132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
d2a04dc52ea4ffcadb4881c9c120b9b3

SHA1
5ff9b4de60e3868697d81fb910b373c7c0a7c4a5

SHA256
271815def5e81d60dce20a982ad9cec1dc08fb43bf37a29c1266a5a367e5f3fc

SHA512
3ef40bf306275ff0202d24209274f7a00acf268763ff3e7d5abd81c84b2a398701a2b317aa00e67316b74aef734e11edaeb3e08fa2adeada77e6663cf143bf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
6dd89155cc60c5daf2bec34971d45f56

SHA1
5c550dcaa072296d7697947e15daa629b78fae6f

SHA256
e32f73979f372cb76088df4ca8ee621ff9f853352d5236ee14854868212b601b

SHA512
9896a47418e15b13902cf5300f9331d818d94708f76949f56c28bbecc241e1c0aa153473bde30aa723381045decd01bc375ccdee9b07e00a31dbafa1f51cc961

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
9f471c987bb028f30b5a51ca83fc5586

SHA1
d91252f67c70e1b17138133c0d31463da1184176

SHA256
555c000fdbddab11c017da8055f58169a55f8772dbac78ca8e4572a6553db071

SHA512
cc42fdb7ff0d20f485e9d5bcf7df5bf3b79e626ef44c3cae23e9179cf97b197564cb73fa4f2521495f95a3e337c1f0d533f6d3f2c36900a84dc2f546ef5e9474

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
70KB

MD5
ec662568b9acfc2930375dc40935823c

SHA1
d055469955e8c947cdba8063be36524ef29f78d0

SHA256
4c51ba181dff507f1b495e0a2c8ccad469b5a4eb51523e18ddb3a0b886f2300c

SHA512
ff9898df75781f91a443460161ac591f04e23f566ca85628ea9ce56a2ba15761ef4e6c23e8952371529efb9e96e4ac4aa16733ea710d1cb65fa2f450171f8f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
146KB

MD5
e128074d836e990fa6e8c20c16598f6a

SHA1
16c786082777f3f80a486d2303360e06f63ed599

SHA256
88910fcdc54e2a80a7ec124920cf0af8ee1221480c2ebfd181555ec6e6a9088d

SHA512
82e95748595102467b0248a7981137e269b8c6123f5383eef40017a0fe41141d59156a6b48bf6d574ed60d8d7929a9a9f34ccb8e07e5089af4ca100a9b765526

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\office6\vcruntime140.dll

Filesize
81KB

MD5
e51018e4985943c51ff91471f8906504

SHA1
5899aaccdb692dbdffdaa35436c47d17c130cfd0

SHA256
ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

SHA512
2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57ba95\CONTROL\product.dat

Filesize
112KB

MD5
e568b6577db690b099db51338853f0be

SHA1
2d24319c334b6319bb19c580f537e6339de48bc5

SHA256
257f1947e656eced86713f72deea7261afe30bb07e9c4f109ea29a6c2df63f16

SHA512
16cf5f031bd8a3e1998b350913d7963140c95ef75e8cac2a5f878a9d3c80691fae24463ad9af64a426fe97dc78a0f51edf75b4a92429191c0809bfcd0f0aefac

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FT7RD35GOIEYL4WQFWS9.temp

Filesize
8KB

MD5
f6111907b4e0a9a36fc75bb185b19149

SHA1
3ab098c8d90607b51d5d537e4951c2ca284115db

SHA256
142aa564550981af0ad890297ec11f67dce9af23e52139793cc274966bccfd02

SHA512
a36d6e8a9cc2adf6b61122181a13a264cee866222c2137ea3abe78d1b84c7e84335fdb09e777411d30f4a45e95fe2b3376dffc9610addc9bf3fc7ed5f338f810

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

Filesize
905KB

MD5
9f4dae600a77ececf478e3996d57d4a3

SHA1
2d8818209e3ebb444e4c5c5d7cbc1e1b8aae0f1d

SHA256
2d4e609a48344b7d0359c884eb529b3c9989e8de2b6619dd78a19689541f4c58

SHA512
998485d86aa53330722dd85e64d062dee6cedf3d75dd9c0545b2d96b41472968972f2c3f5a796578cd285e4212ea6ee4ee39d4af7ea390c22dbef63e8ef77b77

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_03.log

Filesize
4KB

MD5
72e9ca4d8bb8ef77f23020ae0b21a3e1

SHA1
442b6d52b415bed3660f06ee7eb3c237005a2292

SHA256
735a577b611d75a37002641374f4df5df4ff535024cb3d9aaff8929c155050f5

SHA512
9307528e7cda17d43641dbff9d0df54a654d3ef3bf8cc9d9147c47521463967bbccefbc6879ea27b05762dbd45fff15b5852a433e8915819b6db58267c396b87

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
11KB

MD5
37e94080a8c0c96c00dfe2404484c549

SHA1
de0e075bf49b86711173a6c851d2e13b741a85fa

SHA256
53c09d6c51f2e43e618bca883a5f400364f7b03cad5c83f1faf2415c080141a9

SHA512
c1031b14bee89f0b04b38c90e7e4f1fd20a8e2bef059d035e25a44e77919676124bfdbca3d5c24a9e9ae2611fe3f4744a95185f1c3cf4efbdd09b71844173f33

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
12KB

MD5
6f008f27c9820a19de6449ccb4ba1746

SHA1
62642b4de506cbb66ccee06ffa2fcb86cb47dd75

SHA256
e023d4a228d517a28f5150affbf0951bae89dce56452a55d9cef14a5af7dcaef

SHA512
f2b2206cccdb9ec0b9987dafb8031b4b6a9c718c4dc6d8e032504f9833ba074292d048d46753e2f78111bd6cb9c86939d60752ff1d76db3956caa41a64461916

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
29KB

MD5
d8d9d0a1401e1ad73c7f8c2d6590f145

SHA1
84332d2c884bd59fa0bb34516fc80eca741fce87

SHA256
5737a104a406f12ed91925bb392dae8554ab79baab46b6596f3fe3072a88b5b5

SHA512
6d9d2f2ed3f8fb83f011c2fa8ee1a0d4e453a6072040961cc8c764f7cff1643137e4a25b6ffb06d0f63f21d118b02c01bf437dcded53cd15131232f818b8fb56

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
48KB

MD5
e84788a868dd9c29ec98d559dd33eb14

SHA1
b62f149e26fff2fa349bc14f220cc79fd6e92808

SHA256
49741ce248a06e55a2ce18eda61b9a9f861182ad84452d965c540faefda450da

SHA512
fa8fbf8e252a83910cd56ea39bd8fca84cb5f6061c82a60dfdbe11d0081d10a16a36edb4f84430d86cbecd75addbe132b55c2e4a3d62a57187399765eed9f2df

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\LocalPrefs.json

Filesize
484B

MD5
4b763ed8fe57ed08e0e7c7e5e8b43650

SHA1
af73a98e3b6388a6e5abc46e759223943712d219

SHA256
3f57986b9f830cd87a402d89fc04ae9d327d4c61c0342f3afc9e86f63de60f28

SHA512
729f9e21085446669b96d5a48bdd0955c441505c2208130f9a8cae1c034e665a54f6a824a798447e18149c93dd88323bdb6c76e4362a8f599eac2c9effc07175

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\LocalPrefs.json~RFe5901fa.TMP

Filesize
389B

MD5
91f3f715f072fee6712d6f07c785ccb1

SHA1
7910f63ce66fc524673e15f1f7704b1ae8ab05b1

SHA256
80e68d2b45f7d8faa407b5e8afa639a34d96fb86f6a747d51d26c2b78b65614e

SHA512
9b235b83f70fa4b282ea2b9b9a7d03c354d5934478cd87d4a7fc363f689e2972a3955466dcb8e0783c40c3a2cc1e6cead6f22e8aaeea9bfd95feb4320215f45e

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
359c7d59b39cfc3eb7e34214f7e0200c

SHA1
a2861f75880e9aad2e2afb0317b34f91dff3f16b

SHA256
51745cf9a23af15d8741baa530fa779443a5294f160ea5fc57c06bee9583c21e

SHA512
b8f4dbc18683c229d9f33c3989fcabbc083d2eba80eb15f8793a8b34d276a3eff00343d5c1cf6983d7c4c8a6869203c02e6b0ab218569cabd2fc17292b8c43ee

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
da2179d48d9a8346190a738f1fc3adca

SHA1
a3d277ccf4066491565a4e8e5dc7dbe093c2cb9c

SHA256
0712fe687c47c8021e0bfd101881d96677ce5abc5e55b7a9985750d581481546

SHA512
1157192ca04625a1bb523e488adae1b5a1479cb939e3d2c722a87d46e58dc97f14a4d1ccb5e8028863da407405244c7cb997c2170e63c822839528a2c435fda3

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Network\TransportSecurity

Filesize
370B

MD5
074d383bcac12df50cfe51a51d638406

SHA1
56350df4b288bfc1b37a8e0772430041bd0bb3ab

SHA256
d35114ff3a187f48a8d990db343349a2e81c8c7dc5820108043f7bc9615c7973

SHA512
e16058b21b791a8628b668cafe755957dea1254dd3f64eb2c56721188217b519b932cd5f40257b26d2a11a89253df9a6b90fc129b454feffa6d99e7b39d8a0b6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Network\TransportSecurity~RFe594ee1.TMP

Filesize
370B

MD5
4e4d6ebcc68ceb701c47d79e8ccd3ca3

SHA1
92ba652fca2895a05c48512c15da1ec433f8aaa4

SHA256
53494b5624e94da3b3cf97a400bb91ea0ea261694bcb0b6da08ce72b15c5764f

SHA512
604b587fc4a6e47abe9d1559acec95ba5a85a8ed1dbba020d3f6dc32767840ccd87dc35e4c82dd3d49dd3be1308e26c89c43dd975e05987e879a8442cb5b3a84

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\chromeguide\plugin.plg

Filesize
720B

MD5
f842d0f8584ca4060a1e1920fabb8103

SHA1
08c7f19262778159b8123986db51d62063cf5fb9

SHA256
9014a957614a32f0077ed1f4c00dde933d1b223266c2f2483d20ced3abb00c4a

SHA512
fcb25fdfa9b90a6c6c02b4298a837b41d9b6349c0c925fa5caaf6144bc01d41c6b2fb5bb7b1bc1ec05a342121195211c04b222b939591e76ba5417bdf3646d56

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\et\plugin.plg

Filesize
14KB

MD5
912bd549e77ce8d039a1ee12dfa1e49c

SHA1
4d9c76a340927cf9509dc15e80bd695f149ece6d

SHA256
811d91ac374da9ec4b22d54300e295a578b3bdff9edde82cfa352460ee509a07

SHA512
845c623800af9f75000224f82029547382d8ce4498791e1bfc4adbb33d5532e5e4d96c51c8c3def805bd0292df835e9a54e1d83e25bff6281d6cff8e2fbe8990

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\kappframework\plugin.plg

Filesize
1KB

MD5
175a31278bfb2e84b7fd5600557e69e5

SHA1
4b45cadb62682b2f32bbf94e6feaa2985d745968

SHA256
ca1954c9ad7a296ab23833246d227c7d679d9c6ae2180e6c7c1706f1744b1021

SHA512
cb7557db27e85f35fcc13d85910fe63e0b1ffa12749c0d67e252f11abb6d8f5f8ebaf2dc238c96d394ecc2e90cbe8609579edfd45158845988578d277b4a0120

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf2word\plugin.plg

Filesize
744B

MD5
b922ece44bf814738889e703847e9187

SHA1
1fa3ba7a83415f8a2fdfe3474d19fc163053bd0f

SHA256
e3777065014354e07e330fa814fd4aafd0b793585392fcf8688397d63beb5c49

SHA512
e8d4bf8e372a98e88ffaef50cccbbc5f0af6a761fbcd49005466fd196cc4ac68b824f7b1f376ef03fd552612850eb82e149aba605f2b14fcca033161a3046be2

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\pdf\plugin.plg

Filesize
8KB

MD5
f4581e386804a17a10a762a93c0a2af1

SHA1
aeb5bc1a7c2624b8737825ab454feb56874e1a6e

SHA256
bcb1acbd4b6881611ca22b5ef491a12b5d489dd63273089060e2f3133654c130

SHA512
7700c324fdbf55a6b29b9ccb91de672779219207badbb8f49e74ca53237e4d6ca152bfdede703938f961b8d8be02d68744a2f1a5503bc1f630bc01b3d601f7e6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\photo\plugin.plg

Filesize
2KB

MD5
19b3ffc379128a453276cb065cc617b7

SHA1
1b475e142874a61a0ee560e4df6d68d08a653a14

SHA256
38c7764fb4e8a4c16f6d7793ca42f41e83b8cf55c601644d44d87e8c3dafaec1

SHA512
620d7195dc642df4f4bc0228f139543d276290475ef5f0fbb5dbb3ceda1aac858418e72fb112f19558c40826f1f045dae4baadf6dc906975135b19ee340fc482

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\plgpack.plgx

Filesize
5KB

MD5
d01b7fb842ade68ccd1870689c159fdd

SHA1
1ded1be20f08fcc2e8a7be6ec35f82cba14eb2c0

SHA256
e39d1c695759cc3c508531df5634a0733c1201337f7f4af0c36a16c7c66ef0c3

SHA512
39b883019e13dd7b6da1ae862ca6e72ab9552a19dfef2687bf2da000147af47ec9a3375645b5849cb7470e0c08cdfa630221f387fe9015280583823fc692ac77

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\qing\plugin.plg

Filesize
8KB

MD5
18ec94f2998a9442095da23eb0659e7c

SHA1
67275c42a5e4af46f4f8907e094c0cc5662469dc

SHA256
c75c55c5b3376752a500ee1939b852c97756b57be9957b7af28af5caf95d21d6

SHA512
bad4a7dcb57bdffacb4b17e34b6114b01e7064f3eec528e1316375211dd0c54443b3f597c90b8118ce9d5879f439394d23aa50760ec20f9af63f560474d79bbb

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpp\plugin.plg

Filesize
14KB

MD5
7d9fae7a11a1c1f63bc6e828fa86992d

SHA1
ac65f3c61dd133b97da4d87c369b5be61fd6bafe

SHA256
94d12f61f30ac32bbddf35325e1bb6a56f109f88fa4a89dc9f92a04344cb18b5

SHA512
bc39b32bdc09c1d95eed18fee97302ebac01fc517113101eec09493993663228900332a71e1a55c5fc1f04fc8d044b021a63549a2099bbeeb4e41e1abfc9716e

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wps\plugin.plg

Filesize
14KB

MD5
c9529db7db458e24062eec5cca5039a8

SHA1
643081ca6e83b6114d50e87299d8b82983398bba

SHA256
1d0db055ca3d4ecf3542fe19186ce160ddf0a1833062c6b7181faa451aa19978

SHA512
96c1c0141ff54f9939eb7807fc7517e167633b2aec03bfff913c73773dc292fb9bd970e398a76630dd6ff12f36b766e4aff7d65a26de9950c48805025dd0a052

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsbox\plugin.plg

Filesize
776B

MD5
bbc906939d1085b5dbc7c2698fddbe78

SHA1
50528aa05cf6e44dac0e2cb56a368e22f5c69029

SHA256
a75d99d3a5cf2af1c8700227a90abc629dda63bcd295e3b14517d8a1d321b13f

SHA512
1662d60813f85393164239ad081878f855ac05ecf5d38dd13fd9cd35f5a00ca3a5012dbc8f163706db628f778eba7f0068f9d9d1f406077fdcce239e64339fc1

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16909\wpsoffice\plugin.plg

Filesize
7KB

MD5
a01b7a60f42389a99d5c599a9e03e222

SHA1
37daca23b11cce152fbac9cd22e0caca79584a2c

SHA256
1bd40a6bf6f5685d68153399e512f9a7115b549ba051ecb53953674d018f724a

SHA512
604bdb306a78ac82aa40631253ba9b6fc42e7a108770d572bbf4254239f826f1e4e24cffc4389c78790028bf1b3f6b6c34330e7735b0f5571b3203e32e94e994

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.9\chromelauncher.exe

Filesize
110KB

MD5
171b5f7b065e6fbbcc5913112701d902

SHA1
0d7e11dd212cdc8e1864bab08450f0ec14941bdc

SHA256
8bb50578ce904020146d7f0bda4a56c1f50fb428c8ca611f5647383507806d65

SHA512
675529df23235581ab2bd789ba0bff1863a96480c47b46ba44115a7e8675fd54fd2de3e52251c94560716841282d75d9b0345f98693783a8b027c4dca7fc8240

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.9\download.7z

Filesize
2.2MB

MD5
23dfb30abc2b062edc251b1235804a41

SHA1
402ef99a0a3c68af625c28970756fbd039e72ea6

SHA256
49ace3f33d1d70b683bcc954af12578565f869cc6af421fb8e9e7e8b7ab1a0b5

SHA512
37160c2277794c2c383c9cf0a7273b6f74e9b2c84a98e3cbae90ff74abe273508ea1f97763836a0f7eb6b96febe183bb1c992c8b9abdb9a735dfa9e5d84caf54

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.9\run.ini

Filesize
443B

MD5
4e1aecfb8f941521e3a16cbbcf1e3418

SHA1
d61831a61049424ce80f5076e91be965d764e32e

SHA256
bbc30b97c2d501333061f4f77439a2da8e8454b8cf5602467af260c9bebb6b18

SHA512
ee74b3eba02b80ca9032d1c1afc5b436031e57ac4a7a52924185b2c8eabae81f3309a089fb9f23864b43363d9d3587a7338da2c4e1c33991d5648ec361c9a9ef

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\download.7z

Filesize
275KB

MD5
422a47b49c81c94a1f10078e376096da

SHA1
b2454a1d09f83138c903d9502c32124d6360904d

SHA256
9b9eb4c2cec67ed2aa307ed978701ddc86f0b63ab63fdf9b3430a91237a5f59c

SHA512
2803ae66ca2a6b2e4a4881a1266c02048d8d4a86a9ffcd01696b4463d3a18846261877933fa4cff503ca984d59976effde7de0db830b96fa4267c4d41ebcfdab

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\es_MX\kdiagnostictool.qm

Filesize
3KB

MD5
5afc7d8ba894df59c2b3f44726cfc2db

SHA1
a21a7a8fd943455fa47cc5d950603bf1bc5a145a

SHA256
4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be

SHA512
a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.118\mui\fr_FR\kdiagnostictool.qm

Filesize
3KB

MD5
62f3720e184f094c874fe0eab7f0f598

SHA1
cdd858a80bbd1268e7c5278ebe19c35659871d2b

SHA256
bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14

SHA512
14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\download.7z

Filesize
103KB

MD5
31bdb9137432706b904e8dfcdccde030

SHA1
d26fd902b9bc1048731983854ac605e894075130

SHA256
af28e7d61a9b2467a78098341ca188626a90acfa0df4b8f81587d1c35f89a55a

SHA512
119341029755a087f45a32d3d94dc320fbbc7f599ba9ab20dad4479e1a08d24eb7799cdefcb47051ba835e7fe2c220e4e153a3d660b9a22e2a56cf82910e0280

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.136\run.ini

Filesize
292B

MD5
da4b75c3d70c08be415e7b25abdc11cf

SHA1
c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225

SHA256
e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36

SHA512
0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.13\download.7z

Filesize
543KB

MD5
fa94183af39197b82a107533bdb0a610

SHA1
0f9544703170d7318bc49a042e2480a476619055

SHA256
193b61e14e9f4cc13ec7262ab2433e009c897af0a64c1a188c21f4bcf3d65b0a

SHA512
c39fc25a3b72ca18b662af5d1d2279a355c13c772bef8b465cbeb2bb80691337feb70a223ca787d393f4844bc2626d3e2ee32262fd51e7706ba41c0a1f06b159

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.13\mui\default\icons_svg.data

Filesize
39KB

MD5
e824781565af44e6bb0f6449e58109d9

SHA1
e7de21c809c17618ca8e8e1330f0ef93b6c94478

SHA256
a387033e51aac2002992fa43626d78f68f68af3193b57d905c7af9cf9c7884f4

SHA512
43de1016628cd7ac15d2be41a986914877e7a987801c6ebf6292e43e9ea23a3a6f4584435f0556085417af18b87cb113fdf8f8cfa3cddd5e1db7163d7183de88

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\download.7z

Filesize
202KB

MD5
ded028d22792f4a299acbd2d410e5f0d

SHA1
940944738e557237c0099117c635da874cf78263

SHA256
20d84711493557b73f42b31171cc6840a8079248209768ddc75d10da46ab6bc4

SHA512
28ff645f3e78ca9a88cbdaeebb47504178385627d1fbdf68b099901e8db3afc470251413a453c82e7633c232a7c4400789819213fe79e7e3518791775f8d54a9

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\index.html

Filesize
1KB

MD5
66bbeb8733bee0c788685880cc46acc5

SHA1
07d104aa23fd4ad765095ea771667e1440ac6bca

SHA256
faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b

SHA512
2d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.4\res\static\js\manifest.js

Filesize
1KB

MD5
af5a4ff62384fe67791d8cde9176ac0d

SHA1
cf5aa9528fe795b75a569352466ad944652185c8

SHA256
5d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891

SHA512
f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\knewstylewebwidget_1.0.2024.2\download.7z

Filesize
26KB

MD5
d376efaf6d854b1bee45900c41ddf638

SHA1
e003e35e78e5b47295e0e24b941307557d0138b2

SHA256
8554d69d55cda9d3ce258b51cdbc891090de8d2e74b25790de8e4538bd9c78a3

SHA512
ea297acb09fb0c2b18f08751345087b5a5a301861e162bd25646f551ea5a4c0dcb09e27b33aa7604720eb326e21fe04ea0e047a5dcdbaae41a1c1086ac8ceb4d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.6\download.7z

Filesize
3.6MB

MD5
c6a9b8f9e67331693443bd63bd059330

SHA1
a26531aff0f18fab760ff70ff575ac9c41416b62

SHA256
db55415a6ed3b4f60a314920bf886a02e06bd04a9818b7f620f85cc71632c127

SHA512
766a4b57cbae850e0ff566c52fe1d9f3a341576b2fd57313fec9f1ea477f67485bd53ea5e6d02f1175b8de953f126bf7bf78683ce5bc109be2b7012072170ef3

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.6\resource\premiumcode\element-icons.ttf

Filesize
54KB

MD5
732389ded34cb9c52dd88271f1345af9

SHA1
8058fc55ef8432832d0b3033680c73702562de0f

SHA256
a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2

SHA512
e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.6\resource\premiumcode\element-icons.woff

Filesize
27KB

MD5
535877f50039c0cb49a6196a5b7517cd

SHA1
0000c4e27d38f9f8bbe4e58b5ce2477e589507a7

SHA256
ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17

SHA512
da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.6\resource\vippayment\assist\base64.js

Filesize
6KB

MD5
12477cb6bc99f90086f05e54ea7dcbe8

SHA1
4009eefda873514a6579830888d5f12c50d7b3de

SHA256
6520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248

SHA512
a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.6\resource\vippayment\main\img\loading.svg

Filesize
1KB

MD5
544223e85768fd134633a1af9d5bf536

SHA1
5536a0023ddbfb2ab67e9ad8ca4d38c60f413b9a

SHA256
a3df9710c7e09fd8cffc14bfe45f5a1576deb1846ced44e5050b34caf5527049

SHA512
a5cacba054d41af8efd607074c02f36ab731b5d6bc9ffd3bd7ce6b09a4af09b31e29359eb965728d2a00849467b1af66e16186a0c07b4415b3b423a5ea4f68ca

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z

Filesize
703B

MD5
0edafbd62638a75ae8b4debc9fd0b3db

SHA1
814e953384ee2771bfcde0584b0f6f5691217ede

SHA256
3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8

SHA512
ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.193\download.7z

Filesize
22KB

MD5
3b91ab7795510566a0cb254022445a1b

SHA1
2894a929aaa08aafc6bc74278a1511cec2204223

SHA256
223f4d92777f385e8ac9f8055ce1362bbbcfa525e36933605481abfdf8f48c79

SHA512
53ac22c66f8883781d2904ddbc40d72fcbe9bfa586b5f4e1c083dc7ea45076ad1d2bfa9de2ce5e04b3c8bc9770f633249103761d7874e56662644d07cd502db2

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kvipupgradepage_xa_1.1.2024.1\download.7z

Filesize
30KB

MD5
d791a4c5021c3934aa216b9bf5b447d0

SHA1
f954fe837a9fda1f8172280beb2fe9b578a71a51

SHA256
1af1948f4c1f6f753b3a920a787552a072d88c060b7fd3a834343f0dc9f2fbfe

SHA512
32b91c12d8922ab3dbb9735770e8533c3de84c9562c3725606d42d50b3acb97891eb65660c7bdd36684c7fabca07e054aa8b4b667b6f701213e33f08a187bdf2

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwebfissionactivity_1.1.2024.0\download.7z

Filesize
148KB

MD5
cc52c7912e7c1f213f6a2d79ba1760ef

SHA1
c41c1e31bb134869bb89a16e9bb8f67fa42a61d5

SHA256
7cec7edec74ddcf9c233cc440985149545b65597b965704022ff7677d8d15876

SHA512
58efb87a6f2c518d3450426ac1f6cb68f9e4b84ca987b3ea5bb1197f9cf0c17ff3d456cc5cacb2107ad86d63399ae29b67c1096f3b83cc627128cae3ce1fb280

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\download.7z

Filesize
56KB

MD5
54079bd7a79b895706cb6ad73cc4c627

SHA1
45068e27f84dcd16044f4628a020629d0360d8b7

SHA256
355d005cf859c66b298bf475fd646c67ba5fc952c9f670f1b964714b24f197df

SHA512
94d65c7336e0e8597a83c633dd734157ed17d03f9317b9857141724af6b5948c20f82180b4127dfac6da3dadbb4d8aea7ecf5d23d92e87ed719a480a5b1a6c68

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.3\run.ini

Filesize
312B

MD5
ad3a68e7d8c8bf2470282567d8ca7ded

SHA1
addb5ab04165b4743ffb985918c08ba0a76a6eae

SHA256
27e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f

SHA512
c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\download.7z

Filesize
5.1MB

MD5
3303884fbf771d8e3dd645bbc8bd76cc

SHA1
cef8fe59d3161645cec87eae5d8d426604e4f2a2

SHA256
77756cc9c3fa51ec2bd20a39f9c3ffabfb152ac4dd285bf8befae228971f7cf1

SHA512
053abe0567cf8e99c49b9bf3395dd5e8db1c360dd4805c516c9c97ebe0532b0a9090e6fc2f41fbaa910fae21e594d2850729dd527b72dfbbceb53e479f874b62

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.3\pdfwspv.dll

Filesize
165KB

MD5
4c6221b526433ba802635e2fa0d53ff2

SHA1
059bf2b126ee3b901b7a9dee8b53c7e648cc5ebf

SHA256
300994947e4af25ddcea546e285f9d35131e7efa0070d9855d873646d4a73177

SHA512
b1bdfd321ca6b788948383902b9f317bb46a8abfffc4fda29bfd51381f96be9af35274ff7d62c761fb83b09a05e2bb179df6817fc631e67a315787b86f4b31f0

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\download.7z

Filesize
21KB

MD5
87eddda6cfc1c6e1c86e1b3b371f369d

SHA1
7910a432cc964bc1e1be51e0cef2e986cf54eec2

SHA256
4cdfc143513060130052f306c0a7cb93731967dabbbfa22cf892518bfb0a6d5f

SHA512
c7bd1162cd851672e9f5ed21e8fb88d734232360be0433e98a82a9f04a4f35e2f59ced11716244f3f30ca021eebe111ef9b6e7df5eaa1c356ddc75f99445cdc8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\pdfwspvreg.dll

Filesize
50KB

MD5
ccd17aaa7644b6979f661e7c72fa077d

SHA1
9cfb25754ac4a4ed487ce6c4655ccc78b5aef975

SHA256
b5245881da869ea02155d4052eda1390339c87496da055f85c3985a912e0401e

SHA512
2199d618af0d3fc948f4c39700cc8cefa07ed75db29ec348c71c013678a9ec3befcdcc5c3cb1d804abca5df4c3e6aec10caddb29188f28fc27313d6609dc2a49

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.3\run.ini

Filesize
253B

MD5
0d914e316c8fc542e5685b1598899979

SHA1
52e575fc0c66b60cd79d29ae4486944cf06995b0

SHA256
484e6146403c96eaeead06a97a8ed86d67334a9185bf009a44f7b1cbe5402e2a

SHA512
77ca461895bc65f31dd8fc5182dbed383804b4d3315e210bf65195776510bf9c09c11d87589796ec1bd272f67762e5ba28be4d64b8a58f2577cb6da79dbd7319

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2024.14\download.7z

Filesize
6.8MB

MD5
62fe07e2c5ef404cea0b023c590799be

SHA1
a2668640fc716a4de95286061988a1699c376cae

SHA256
4daee09248f3382f64d1bcefae6743e4ebed813fdfa5c1d43ed1638893809e3b

SHA512
e2a29a1cdd6a6de42bbfa2ea558e1b0c4af9e72666eba8f93e4fab92d41991c9eba4ff192f7ffae4070b3e5be4acbbbc6af077b19ba3e0c92c55df09c948fae8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.213\download.7z

Filesize
503KB

MD5
f3ff3c47ae68b0e6234b72d354ac191b

SHA1
26c380b44ad61b258a6de56c75c7f568d8c0f876

SHA256
cbac9ef94e6c6dd11019653c64bec6a3e6970779604555f5f77974258c214333

SHA512
43f892f5172b03e4e7d8f3f3632012ca62a7cb104f26d7d746005abf94472eeff881087c1ca73483f1079f21befe321af7372c6e17b26bd77f8fd9a03935ed95

Download Submit
memory/8-4463-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/8-4464-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/8-4205-0x00007FFBE6740000-0x00007FFBE6750000-memory.dmp

Filesize
64KB

Download
memory/8-4206-0x00007FFBE67E0000-0x00007FFBE67F0000-memory.dmp

Filesize
64KB

Download
memory/224-4815-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/224-4810-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/224-4808-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/748-4813-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/748-4799-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/1108-5117-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/1256-4774-0x00000000714F0000-0x0000000071513000-memory.dmp

Filesize
140KB

Download
memory/1256-4773-0x0000000071590000-0x00000000716D9000-memory.dmp

Filesize
1.3MB

Download
memory/1256-4772-0x0000000071700000-0x0000000071B71000-memory.dmp

Filesize
4.4MB

Download
memory/1256-4768-0x00000000720E0000-0x0000000072637000-memory.dmp

Filesize
5.3MB

Download
memory/1256-4776-0x00000000714D0000-0x00000000714DF000-memory.dmp

Filesize
60KB

Download
memory/1256-4767-0x00000000726B0000-0x000000007270E000-memory.dmp

Filesize
376KB

Download
memory/1256-4765-0x00000000727A0000-0x0000000072A8A000-memory.dmp

Filesize
2.9MB

Download
memory/1256-4775-0x00000000714E0000-0x00000000714EA000-memory.dmp

Filesize
40KB

Download
memory/1256-4770-0x00000000720C0000-0x00000000720D4000-memory.dmp

Filesize
80KB

Download
memory/1256-4771-0x0000000071BB0000-0x00000000720B3000-memory.dmp

Filesize
5.0MB

Download
memory/1256-4766-0x0000000072710000-0x0000000072791000-memory.dmp

Filesize
516KB

Download
memory/1256-4769-0x0000000072640000-0x00000000726AF000-memory.dmp

Filesize
444KB

Download
memory/1256-4764-0x0000000072A90000-0x0000000072BAF000-memory.dmp

Filesize
1.1MB

Download
memory/1260-4379-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/1260-4375-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/1544-4778-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/1544-4779-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/1544-4795-0x0000000061B10000-0x00000000636C5000-memory.dmp

Filesize
27.7MB

Download
memory/1760-4601-0x00007FFBE67E0000-0x00007FFBE67F0000-memory.dmp

Filesize
64KB

Download
memory/1884-4465-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/1884-4466-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/2976-4599-0x000000006DA60000-0x000000006DA70000-memory.dmp

Filesize
64KB

Download
memory/3356-4563-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/3356-4564-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/3608-4777-0x00000000724F0000-0x000000007309F000-memory.dmp

Filesize
11.7MB

Download
memory/3608-4997-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/3608-4744-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4048-5109-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4356-4581-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4356-4580-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4444-4803-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4444-4801-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4444-4802-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4488-4217-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4488-4213-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4500-4119-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4500-4098-0x00000000372A0000-0x00000000372B0000-memory.dmp

Filesize
64KB

Download
memory/4500-4106-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/4588-4373-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/4588-4355-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/5060-4817-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/5060-4800-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/5096-4745-0x000000006EE30000-0x000000006F786000-memory.dmp

Filesize
9.3MB

Download
memory/5096-4752-0x000000006B8F0000-0x000000006E918000-memory.dmp

Filesize
48.2MB

Download
memory/5100-4204-0x000000006DA60000-0x000000006DA70000-memory.dmp

Filesize
64KB

Download
memory/5100-4203-0x000000006D9D0000-0x000000006D9E0000-memory.dmp

Filesize
64KB

Download