Analysis
-
max time kernel
53s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
Resource
win10v2004-20240508-en
General
-
Target
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
-
Size
225.0MB
-
MD5
d54254438c5c1d2c3cf234e583ed6c97
-
SHA1
becbb2ef95317e5f8ae5782538364aa58b9cb980
-
SHA256
317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636
-
SHA512
6087b1ea0e3ce1f0daeca7c42e28dfc88db80a9aad48bb7f94e736be309bd78074d4ab06ec057fc88a198f8998cc51fc08174e925ca44c54cf7b2fffeccd8da8
-
SSDEEP
6291456:qo5Y69DnhF6Rn0lo108kbmXMdyDq/1pA0F0QkDTqaHXXbV/T:qo5Y69DnkndYJ7S0GQkZ3LV/T
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wpscloudsvr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exedescription ioc process File opened for modification \??\PhysicalDrive0 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe File opened for modification \??\PhysicalDrive0 ksomisc.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wps.exewps.exewps.exewpscenter.exewps.exewps.exewps.exeksomisc.exewps.exewps.exeksomisc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wpscenter.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation ksomisc.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation wps.exe Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation ksomisc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exedescription ioc process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Executes dropped EXE 45 IoCs
Processes:
ksomisc.exewpscloudsvr.exeksomisc.exeksomisc.exeksomisc.exewps.exewps.exewps.exewpsupdate.exewpscloudsvr.exewpscenter.exewpsupdate.exewpscloudsvr.exewpscenter.exeksomisc.exewps.exewpscloudsvr.exeksomisc.exeksomisc.exeksolaunch.exeksolaunch.exewpscloudsvr.exewpscloudsvr.exepromecefpluginhost.exepromecefpluginhost.exewps.exewps.exewps.exewps.exepromecefpluginhost.exewpscenter.exewpscenter.exewpscenter.exeksomisc.exewpscenter.exepromecefpluginhost.exepromecefpluginhost.exewps.exepromecefpluginhost.exewps.exewps.exewpsupdate.exewpscloudsvr.exewpscloudsvr.exewpscenter.exepid process 1824 ksomisc.exe 1796 wpscloudsvr.exe 2544 ksomisc.exe 840 ksomisc.exe 3056 ksomisc.exe 2520 wps.exe 764 wps.exe 2900 wps.exe 968 wpsupdate.exe 1864 wpscloudsvr.exe 1044 wpscenter.exe 3016 wpsupdate.exe 2576 wpscloudsvr.exe 780 wpscenter.exe 2312 ksomisc.exe 576 wps.exe 912 wpscloudsvr.exe 2212 ksomisc.exe 2248 ksomisc.exe 2468 ksolaunch.exe 2696 ksolaunch.exe 2452 wpscloudsvr.exe 2912 wpscloudsvr.exe 1616 promecefpluginhost.exe 1484 promecefpluginhost.exe 824 wps.exe 1724 wps.exe 640 wps.exe 2444 wps.exe 1000 promecefpluginhost.exe 1552 wpscenter.exe 1380 wpscenter.exe 1112 wpscenter.exe 1132 ksomisc.exe 776 wpscenter.exe 1804 promecefpluginhost.exe 1296 promecefpluginhost.exe 1020 wps.exe 1240 promecefpluginhost.exe 824 wps.exe 2204 wps.exe 2896 wpsupdate.exe 640 wpscloudsvr.exe 2228 wpscloudsvr.exe 916 wpscenter.exe -
Loads dropped DLL 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" regsvr32.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
ksomisc.exeregsvr32.exeregsvr32.exeksomisc.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700070002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Automation" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wpp" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /Automation" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps /Automation" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class\ = "WPS.Office.Interop.Et.GlobalClass" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C360CF9-D475-44FC-8163-AD6C95CF5F5D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c00650074002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f006500740000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\ ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\kwpsmenushellext64.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wps" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32\Class ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000700000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wpp.exe /Automation" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\refedit.dll" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\LocalServer32 ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f00700072006f006d0065007400680065007500730020002f0077007000730000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32\.ksobak ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /et" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\et.exe /Automation" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{E260F96C-8EF4-4C24-A2B9-455F1D116531}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /et /Preview" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32\Class ksomisc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32\LocalServer32 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004b0069006e00670073006f00660074005c005700500053004f00460046007e0031005c0031003200320030007e0031002e003100360037005c006f006600660069006300650036005c007700700073002e0065007800650020002f004100750074006f006d006100740069006f006e0000000000 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPSOFF~1\\1220~1.167\\office6\\wps.exe /prometheus /wpp" ksomisc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ksomisc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} ksomisc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" ksomisc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" ksomisc.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Key created \REGISTRY\USER\S-1-5-20 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe -
Modifies registry class 64 IoCs
Processes:
ksomisc.exeksomisc.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPP.POTM.6\shell\print\ = "&Print" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{F1B14F40-5C32-4C8C-B5B2-DE537BB6B89D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{65E515D5-F50B-4951-8F38-FA6AC8707387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{799A6814-EA41-11D3-87CC-00105AA31A34}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934DE-5A91-11CF-8700-00AA0060263B} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024499-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.arw\OpenWithProgids\WPS.PIC.arw ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0002CE21-0000-0000-C000-000000000046}\MiscStatus ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A2-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{4DACC469-630B-457E-9C8F-08158D57FC7C}\ = "FullSeriesCollection" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{BA72E551-4FF5-48F4-8215-5505F990966F}\ = "SectionProperties" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020990-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020875-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sldm\OpenWithProgids\WPP.SLDM.6 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209A7-0000-0000-C000-000000000046}\ = "Zooms" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{3E061A7E-67AD-4EAA-BC1E-55057D5E596F}\ = "OMathMat" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{CDDE3804-2064-11CF-867F-00AA005FF34A}\ = "_dispReferences_Events" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03F1-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C0362-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020950-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024470-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C172C-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C037E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BC-0000-0000-C000-000000000046}\ = "SparkVerticalAxis" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000C1711-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{FE0971F0-5E60-4985-BCDA-95CB0B8E0308}\ = "XMLSchemaReference" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024424-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002092C-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.SecDocument.9\CLSID\ = "{00020906-0000-4b30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{99755F80-FE96-4F7D-B636-B8E800E54F44} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{E598E358-2852-42D4-8775-160BD91B7244}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00024480-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{000244BF-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KMSO2PdfPlugins.Component regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000C03C7-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.SLK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,23" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\SystemFileAssociations\.xlsm\TypeOverlay = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,3" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208D6-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000208C4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000244E8-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002E11A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{0002094A-0000-0000-C000-000000000046}\ = "Cells" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{0002096F-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Addin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wpsofficeicon.dll,21" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{00020999-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024423-0000-0000-C000-000000000046}\ = "CustomView" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.9\ = "WPS Writer Document" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00024478-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{00020866-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\WPS.Dotm.6\ = "Microsoft Word 2007 Macro-Enabled Template" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ET.Xlt.6 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{000209B0-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\KWPS.Document.12\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.16731\\office6\\wps.exe\" /prometheus /wps \"%1\"" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{BF043168-F4DE-4E7C-B206-741A8B3EF71A}\ProxyStubClsid32 ksomisc.exe -
Processes:
wpsupdate.exewps.exewpscenter.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 wps.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde wps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 wpscenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 wpscenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd wpscenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd wpscenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wpsupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd wpscenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 wpscenter.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 wpsupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A wpscenter.exe -
Suspicious behavior: AddClipboardFormatListener 21 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpscenter.exewpsupdate.exeksomisc.exewps.exewpscloudsvr.exeksomisc.exeksomisc.exewpscloudsvr.exewpscloudsvr.exewpscenter.exewpscenter.exeksomisc.exewpscenter.exewpsupdate.exewpscenter.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 1824 ksomisc.exe 2544 ksomisc.exe 840 ksomisc.exe 3056 ksomisc.exe 968 wpsupdate.exe 1044 wpscenter.exe 3016 wpsupdate.exe 2312 ksomisc.exe 576 wps.exe 912 wpscloudsvr.exe 2248 ksomisc.exe 2212 ksomisc.exe 2912 wpscloudsvr.exe 2452 wpscloudsvr.exe 1552 wpscenter.exe 1380 wpscenter.exe 1132 ksomisc.exe 776 wpscenter.exe 2896 wpsupdate.exe 916 wpscenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exewpscloudsvr.exeksomisc.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 1824 ksomisc.exe 1824 ksomisc.exe 1796 wpscloudsvr.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exewps.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 576 wps.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpsupdate.exewpscenter.exeksomisc.exewps.exewpscloudsvr.exeksomisc.exeksomisc.exewpscloudsvr.exewpscloudsvr.exewpscenter.exewpscenter.exeksomisc.exewpscenter.exedescription pid process Token: SeDebugPrivilege 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeRestorePrivilege 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe Token: SeDebugPrivilege 1824 ksomisc.exe Token: SeLockMemoryPrivilege 1824 ksomisc.exe Token: SeDebugPrivilege 2544 ksomisc.exe Token: SeLockMemoryPrivilege 2544 ksomisc.exe Token: SeDebugPrivilege 840 ksomisc.exe Token: SeLockMemoryPrivilege 840 ksomisc.exe Token: SeDebugPrivilege 3056 ksomisc.exe Token: SeLockMemoryPrivilege 3056 ksomisc.exe Token: SeLockMemoryPrivilege 968 wpsupdate.exe Token: SeLockMemoryPrivilege 3016 wpsupdate.exe Token: SeLockMemoryPrivilege 1044 wpscenter.exe Token: SeDebugPrivilege 2312 ksomisc.exe Token: SeLockMemoryPrivilege 2312 ksomisc.exe Token: SeLockMemoryPrivilege 576 wps.exe Token: SeLockMemoryPrivilege 912 wpscloudsvr.exe Token: SeDebugPrivilege 2248 ksomisc.exe Token: SeDebugPrivilege 2212 ksomisc.exe Token: SeLockMemoryPrivilege 2248 ksomisc.exe Token: SeLockMemoryPrivilege 2212 ksomisc.exe Token: SeLockMemoryPrivilege 2912 wpscloudsvr.exe Token: SeLockMemoryPrivilege 2452 wpscloudsvr.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeLockMemoryPrivilege 1552 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeLockMemoryPrivilege 1380 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeDebugPrivilege 1132 ksomisc.exe Token: SeLockMemoryPrivilege 1132 ksomisc.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeLockMemoryPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 576 wps.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 776 wpscenter.exe Token: SeShutdownPrivilege 576 wps.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exewpscloudsvr.exewps.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 576 wps.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
wpscloudsvr.exepid process 912 wpscloudsvr.exe 912 wpscloudsvr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeksomisc.exeksomisc.exeksomisc.exewpsupdate.exewpscenter.exewpsupdate.exeksomisc.exewps.exewpscloudsvr.exeksomisc.exeksomisc.exewpscloudsvr.exewpscloudsvr.exewpscenter.exewpscenter.exepid process 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 1824 ksomisc.exe 2544 ksomisc.exe 2544 ksomisc.exe 840 ksomisc.exe 840 ksomisc.exe 3056 ksomisc.exe 3056 ksomisc.exe 968 wpsupdate.exe 968 wpsupdate.exe 1044 wpscenter.exe 3016 wpsupdate.exe 1044 wpscenter.exe 3016 wpsupdate.exe 2312 ksomisc.exe 2312 ksomisc.exe 576 wps.exe 576 wps.exe 576 wps.exe 576 wps.exe 576 wps.exe 576 wps.exe 576 wps.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 576 wps.exe 2248 ksomisc.exe 2212 ksomisc.exe 912 wpscloudsvr.exe 576 wps.exe 2248 ksomisc.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 2212 ksomisc.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 2912 wpscloudsvr.exe 2452 wpscloudsvr.exe 2452 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 2912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 2912 wpscloudsvr.exe 2452 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 912 wpscloudsvr.exe 1552 wpscenter.exe 1552 wpscenter.exe 1380 wpscenter.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exeksomisc.exeregsvr32.exe421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exewps.exeregsvr32.exedescription pid process target process PID 2796 wrote to memory of 1796 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2796 wrote to memory of 1796 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2796 wrote to memory of 1796 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 2796 wrote to memory of 1796 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpscloudsvr.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2908 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 1824 wrote to memory of 2136 1824 ksomisc.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2136 wrote to memory of 1672 2136 regsvr32.exe regsvr32.exe PID 2796 wrote to memory of 2544 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 2544 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 2544 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 2544 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 840 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 840 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 840 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2796 wrote to memory of 840 2796 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2120 wrote to memory of 3056 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2120 wrote to memory of 3056 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2120 wrote to memory of 3056 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 2120 wrote to memory of 3056 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe ksomisc.exe PID 1824 wrote to memory of 2520 1824 ksomisc.exe wps.exe PID 1824 wrote to memory of 2520 1824 ksomisc.exe wps.exe PID 1824 wrote to memory of 2520 1824 ksomisc.exe wps.exe PID 1824 wrote to memory of 2520 1824 ksomisc.exe wps.exe PID 2520 wrote to memory of 764 2520 wps.exe wps.exe PID 2520 wrote to memory of 764 2520 wps.exe wps.exe PID 2520 wrote to memory of 764 2520 wps.exe wps.exe PID 2520 wrote to memory of 764 2520 wps.exe wps.exe PID 2520 wrote to memory of 2900 2520 wps.exe wps.exe PID 2520 wrote to memory of 2900 2520 wps.exe wps.exe PID 2520 wrote to memory of 2900 2520 wps.exe wps.exe PID 2520 wrote to memory of 2900 2520 wps.exe wps.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2120 wrote to memory of 2284 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1916 2284 regsvr32.exe regsvr32.exe PID 2120 wrote to memory of 968 2120 421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe wpsupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F7696952⤵
- Checks computer location settings
- Executes dropped EXE
- Registers COM server for autorun
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"3⤵PID:2700
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"3⤵PID:2200
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"4⤵PID:2480
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 52⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\html2pdf\html2pdf.dll"2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\\office6\ksomisc.exe" -defragment2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2312
-
C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_F763208 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f762f79\1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
PID:1916 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:setup2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
PID:1864 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" -createtask2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService3⤵
- Executes dropped EXE
PID:2576 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"3⤵
- Executes dropped EXE
PID:780 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:576 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getonlineparam -forceperusermode4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -getabtest -forceperusermode4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing4⤵
- Executes dropped EXE
PID:2696 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing4⤵
- Executes dropped EXE
PID:2468 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/photoforceasso_xa_1.0.0.1/photoforceasso_xa.dll -EntryPoint=EntryPoint4⤵
- Executes dropped EXE
PID:1112 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -assopic -type=silent .pcx|.tga|.wdp|.wap|.wbm|.wbmp|.pbm|.ppm|.pgm|.ras|.xbm|.xpm|.arw|.cr2|.cr3|.crw|.nef|.orf|.pef|.raf|.dng|.heic|.mrw|.rw2|.x3f|.psd|.psb|.ai|.emf|.ico5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run /InstanceId=wpsdesktop -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2023.32/kwpsbubble_xa.dll4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1064 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:25⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1572 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:85⤵
- Executes dropped EXE
PID:1296 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=776 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1868 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1020 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=1388 --field-trial-handle=1172,i,17807377547951765856,10267334684893265284,131072 --disable-features=TSFImeSupport /prefetch:25⤵
- Executes dropped EXE
PID:1240 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2248 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:23⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2600 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:83⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2900 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:2444 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3020 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:1724 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --mojo-platform-channel-handle=2244 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:23⤵
- Executes dropped EXE
PID:1000 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.123/kdocreminder.dll3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3168 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.167\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xNjczMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=576 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --enable-speech-input --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\debug.log" --enable-file-verify --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3288 --field-trial-handle=2280,i,733871636147271719,7870283932770415647,131072 --disable-features=TSFImeSupport /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpsupdate.exe" /from:ksoend /source:ksoend3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2896 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService4⤵
- Executes dropped EXE
PID:640 -
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService4⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscenter.exe" Run -Entry=EntryPoint "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsupdatemindbubble_xa\kwpsupdatemindbubble_xa.dll"4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:916
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_F76896B -forceperusermode1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"2⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"3⤵
- Registers COM server for autorun
PID:1672 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService3⤵
- Executes dropped EXE
PID:764 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2520 /prv3⤵
- Executes dropped EXE
PID:2900
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fca8df9eb4b97ab02cfd86e21425529d
SHA1e93d458733d9f1c08674a88ed8090ab3bdfd3765
SHA25696da214544b9aa30b3550ddd869c54932abc0f8f7c89a3ab8a23d8d3a5c224db
SHA512156544287b7f02fb7e9082589179b0c8bf86de6fce189c33597e0b503378b272b7be8ebc2a77a71bc62271bd6394285101eb8a52adb60abe318cc372046236cf
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm
Filesize334B
MD52b42be10ddde43a0b6c2e461beae293a
SHA153888c4798bc04fdfc5a266587b8dc1c4e0103f3
SHA256984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b
SHA512be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
Filesize198KB
MD5b4b4c703bf5c6c0b5e9c57f05012d234
SHA1929aee49e800e88b4b01f4a449fa86715d882e42
SHA256910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b
SHA5122afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec
-
Filesize
67B
MD5223673e5e8d77083765b70ddf7a0f7f6
SHA13b5c4d6304ed6ada0ec607f44a2aace24ec16126
SHA2569089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82
SHA51262f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52
-
Filesize
433B
MD51c1eb59705cc6888811f3019aa3be6dc
SHA1561a22bb405b8e77cfa062dcbb8ce2589b23bd46
SHA25682602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc
SHA51217ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b
-
Filesize
3.0MB
MD520704171f1c20337f7348ae4dab809bf
SHA1c0a8e284cab4e843bfd9cea49e221efabc971596
SHA25603d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e
SHA51247b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
Filesize236KB
MD5c5ad1903526a9ca4c2f55cfea1e22778
SHA19c7b9ba9100a919cad272fb85ff95c4cde45de9f
SHA2565e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334
SHA512e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll
Filesize1.4MB
MD539f7a2e4e5493a25ff8597413372d8d7
SHA14dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1
SHA2566b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8
SHA51280063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a
-
Filesize
957KB
MD52ce8dfb2a53e622411af4f8078d1535f
SHA1ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225
SHA25690331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747
SHA512d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882
-
Filesize
499B
MD5183330feb3b9701fec096dcbfd8e67e4
SHA12f43379fefa868319a2baae7998cc62dc2fc201d
SHA256ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475
SHA512643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471
-
Filesize
662B
MD5134d92d41c65fcc5562379cc2842f786
SHA1f628fa2b086ded3d6bef53e107c5ed4433cdc408
SHA2561c4b37edb30af230503a6632d6e6e23e8ed3cf75fa700d5b0187257a40947dcb
SHA512a41e90d26e214dc77749791fa76440d05dbcfe153100bd720a9ef06891bf8129d052ca8e2021cb4586c2d06a923fe023f76773b71cacf188df78d6a6ce7942dc
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
2KB
MD5d32df04f1fcdc8da53d9fdc14b69973b
SHA1df451f4c5730f9d2f21ab2618491ba376d96ae67
SHA25633450b8e8df01d1d106dbb8928d63147a8f72e68fe6f3767511a3c0c51a89dbd
SHA512d4cf7270b5f6e065fa06b275b3e4c337ac9e39cbd83e7f6e675187600bcfc501da466ac624225cac4b4eb7a1606a372e768a626b0675d2d35e2f518af28527f1
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD5034f37e6536c1430d55f64168b7e9f05
SHA1dd08c0ef0d086dfbe59797990a74dab14fc850e2
SHA256183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384
SHA5120e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0
-
Filesize
111KB
MD5275e4919bf12383eeaae2e35f1aedca2
SHA1d63a89631852f77f4de039ee5ffd8b46b10e044c
SHA256d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072
SHA512b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e
-
Filesize
382B
MD56a5eea749583001de63b993fc66496ba
SHA1fd41691ec4751e85be89917d46454f8533800b4e
SHA256bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA5126a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712
-
Filesize
428B
MD55e1b68b67986b1588301c0135f19fc7c
SHA1957ea47285f7d903cce7530ee34852435de5b5b4
SHA25623456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KST91PQYBPI7MYTON1P5.temp
Filesize8KB
MD5a6cf09d5cabc878da43ec8dabed4554d
SHA115d296f66e0a10c05168ab3fc6ca4ed33c28c493
SHA256e4de3962a4d019bf691fff7cdb4322bb47d430728cc93918ef332cb8afdbe28f
SHA5128a274c590b471075b055a5b7fb376d560194a083b8fe04f937320169d1c03a689650321512c0296384c7828d3c5708404d393fb6f57d0c1cb80bd39ac861ab02
-
Filesize
903KB
MD5b719be776167213ac6d5bfafb1cb2612
SHA1edfe0028b5e1ae4171493b077dc332872d4f83ff
SHA256e78c7d53f11d2c96244baea939ea77b3761abdbc75912812060ab3e8aa938e44
SHA51256e2a24da00d5d4df5838e9dffb42a7ccb19ec3a4b2ff74858ccdbd7b3d3444907581b5ea426670a4b85b5a229d84441eb7fec023d2eb7ceb366c2f6b387f7bc
-
Filesize
6KB
MD593bdabeac873fb56f049f9659336240f
SHA11a55f154a232aad1618c5bfde1a195a91cbde339
SHA25692102d802bb9b64be87e1ac0b68c1310044cbe62ee2bee7c4241ae5f1fce6ada
SHA512d26d892edcfb9841942b5fb61699de5b0040b764ed73f5bcccdd53b6514069773b87f0bb2eaf536027fc9d5b55e97b6e014a9e5b5eab9e6470a7c9685a04646c
-
Filesize
11KB
MD5399d2ed883dd737e480b5c434d2ca1d1
SHA1a3c7df390ec8ef93a84ced4ba7216735a696be70
SHA25611b504e8eef38b1ebeb9e626d3bebb8fc5ff53e325685d628941523340b35271
SHA512574d8a3230821d0852a89832fdfba9d1fc777df40aa10c483a31a8cac2a36cf356ba54fee27e27b097c31c8758b0f32863d8b4f6b0147403d286d0c3f84c119e
-
Filesize
13KB
MD5ac77f5be67533f8b44d788204583d224
SHA19dfb1713d8df8b3f727dc9e8ef5c4be0a491a9b7
SHA256d58cb20d298399f4772ff4058924beb21775349f8866534b772be2fdde336b00
SHA5127ad98ce00761cd577379487857b22f897296f337848828a1b77c9812288bfbecf0d5783f17d60ee222e291943902887bce0b8ad604b7a699597b36f88ea5dbbf
-
Filesize
29KB
MD5e96c7039d75eb9f9eff0555613851daf
SHA1bdcd9e2eed7de2d7c98bd9a28e3cf00f864a7899
SHA256c761c92e278e64a044f744bd4f25add4a66fd1bbf0e39c03da22397f4467173c
SHA512d541d832b65ecf4a63bbd2aff5cb91944241c9637b9f2d2210a5a141a0054536876ccf1a884924e12cec832dd2af7330374cd118157f758274bdac353d8eadd9
-
Filesize
48KB
MD50d26445f495aa8fa75cc04e5a33b02fa
SHA1b80a07cb5f9917f7c58dc234b7600ce601082fa5
SHA2560a05798b4fab7472645fa34a60cc7410c93e3235417a55fc9275749882e74a16
SHA512d6d3526b1e3d02d566e445dd4e78717fbf389b694ce4f8ccfc6c87efeee5db4ba34d059e2eb735e5ab78bf65afadb82a60518282f708b575e17f208276dfbdb0
-
Filesize
48KB
MD53740e74f736e1312b3d74819cdfac1c1
SHA1751a4c3473f48216a592f8054500684a89e55828
SHA2568b91bf4a8a0d040ceee5be9330e98b414c86efa65ecb2c55f433f07f3aedee22
SHA5127c7f1147a615d3e6b6c2e60a1367b209b56337b597a1f27c4ae8075aadea15b6352db378f10f73dfaa01720edeeaf528509dc6073763072a02db9727caebbe8e
-
Filesize
7KB
MD57bc295e55a66413e246a056fcb0e3b4c
SHA185a6cab2cf05193f7cdb8bc77f33f435e0473c85
SHA256cc78b6b5f4e8438e0175e3f5a20279aab3efdd6befd2917e4515a59db7cf3a9b
SHA51265cb35feb9fbe429a281c1184108d4ad05aefa25252c821d79da7fce4ab803ada964f2055035a69be85aade852432e492eedc5014f2b793937d4ef9d87317899
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Local Storage\leveldb\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\KWPSBubble\Session Storage\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Local Storage\leveldb\CURRENT~RFf76b471.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Network\Network Persistent State
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Cache\Cache_Data\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kwebwhatsnew\wpsoffice\Code Cache\wasm\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
21B
MD5508370f78327c666be4501d073812950
SHA1874374d638d491266da8a4b5ef905002c28c2f38
SHA256aec368c859cab36a2ca31d36941af40e15a26a8f85eee679be85f45625e91da1
SHA512c905ad292f7c695c0260f3310e27913c555bf3763e864bc2e1f90829a748c1cf7fcb53aca2314607383cf321782827674d2715b784821334d637b57d5383a084
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\KWPSUpdateMindBubble\plugin.plg
Filesize728B
MD57ac31d26b13c6f217ba8a3b10ef3dd8d
SHA1457193d0fff37ad6c0ae6acbd4cd71acba253fea
SHA2569835b153474bc9aaaafbd3036a03810bbb8f21406ac8aa70e0c0b59484d5e202
SHA512d0892d26e2f18ba2d57c73ebc5de9a749c1bde385993faa6b31e45b565da44ce96f665263d2b4a68d76cda596d4e7a0c0c194535d2d8d37aa7c082394b72a303
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\chromeguide\plugin.plg
Filesize736B
MD585920fc5aae6425b2c5eb46507500e1e
SHA143b85ac7a1e0b4ab83313b5df0997a6595bbbe12
SHA25618f743d7cd9582bb7d37a2e1fef73e6c2192c8c4119feebeed6f9590496590a3
SHA5122c865624618a16c2de85ba93b05a41ca3638fc04b867962ef7b1550f43c6d732dc4b3da84764f9b8584bb5dd645faf286c4e2aacb2e54c9acc22489570deb465
-
Filesize
14KB
MD5b330323d4f3e9c5f65d4090068fad2f2
SHA13cff5b78ea82f6e628809523ab3ef8adb737f097
SHA256a42b0f39532aa7ee9dd68d92a60177bc75e13e44f051b36bc24f0ed4dcc30eb3
SHA512a47f5e0a8ca11d78a7edf8ef7d26e4ec2129c1d055f33a933d99fbf1cb287e06e9aa208e74b5b09ee210332fdaa44df17ea432baa3630af19f9bc16466abff6d
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.16731\kappframework\plugin.plg
Filesize2KB
MD5c480aa9ecbeca164f2c4b65703735f88
SHA1bad457b7be00fe8c88321e6dcc14b4e914164ecc
SHA256407b17b8ebbc8ebf024c4a0c89c7975ee52c02c4fd4be90a07f9129ae7651cf6
SHA512f6f9ad841c5e6541511106ab7c5224b1bc2e4655ab853c7b43af91f6fd8caa009fca424cb65c72210fee3a26f478d89401fb4024a1fd5d27bdc7112106615b69
-
Filesize
744B
MD56a13e38dc5123fd5fe9c4e971e3fe7dc
SHA121ab4a505400a46a11366e27ef7bb538e04c61d2
SHA25620f46b032a3f1e85daf1ad3819fe705fc386e5e975e53627a15f4ca1119a9c76
SHA512ea89b0fa5a23d0f9d070dd5838aaf77bd100b1c9cec3c73e81146297ab5b4fd08ac9d9adc084f8bc1135f65e5d678942cab54a4860e6dc9ae11d3409a33f7ee5
-
Filesize
8KB
MD5368d5dc1b407ffa7eb2d490d048de943
SHA12cb8d6b77fecfd621391f9378e2210f3d60190f0
SHA25616c0708490c449ff61dfa3284313554ce44ef6b96a325f4818bd1e0bcdca04f9
SHA5127bf235117d9b6fd04ef72fb3763bcff44755896785dad7dd432142fb9b5b2a736cfdda20d10c22a1140aeca0392e058ffd666d412e4ad6fc426d7445c8bfc783
-
Filesize
2KB
MD564e11ec8259d13542ff86c5fee3b6ff5
SHA13c3f098e58e83b4ffea387ea030b2862340477fe
SHA256424ab36ab8117d38888f5bbdde9610e5dd29c35022893ed2b85acfd7b080158b
SHA5126677e9e464d6559c65b8377eba5d1570c721193d7bbf681392c5f037e64984cea3d7fdfdff6f215643b34bb4a92771c000e01c1dca704b30fe7ee20177e1325b
-
Filesize
5KB
MD55fc4ddb38cb10ee798c5c8ba890be8bd
SHA1738a8d1f6ec8bc690c387d5991cc8cdc7e7f79a7
SHA256bd077d51c874220b491058034a3ef9ef147a90399d83cde38ee27cbef68bb0f4
SHA51260036016d454732336e7507c5b6101f7b0b474bf80f8f9099ab38bc8bfc3eebea31794f95ec4e91e55d280bf7236577b4ee248c7da6c98a4c2a532a7f98f5270
-
Filesize
7KB
MD55509ef75346a8ba1459a3a699304817f
SHA1377f771755f0be245963cace9ebd4f01f1b60150
SHA256b1b204e307ea2d74b95d5a07c1c3180c8d15892e8438b8538d487ebafeae4be9
SHA51214d064f685323f984641d50dc7eb1ebf82596435c3745051104b61717d897cc3a06e387daa6ea5d3d160a468a750dd08969bdf27f987d73483222b189b8aaf55
-
Filesize
14KB
MD55d0bad20a3e197f645bdc6383d3e1b01
SHA1906d76437fc9b452dafdf868057d42944e4d9a5f
SHA256a3128523eeebb539908d1361fbf7f2a646d3e9c61dd1bd7093a585d5bf197c88
SHA5122002ff6652e9713f8ad5e053b7973dee0f4587c2898590da4c75a030fd2f064078fe34f3fc28908054fd25cd6b786d6cff1ebcc4e57be60ae9901404e6b782b7
-
Filesize
15KB
MD54ea68dd71ec5efec0b9c6631117bcb00
SHA1ff9743032cb0ae2b2ee3d8d93eb035ca6bda3250
SHA2566446d6e1b64fc7fbfd234d53f645cd04fbf662408065745070d97a7f018accdc
SHA51228ed1b6dc1de0fe03839d01c143f344f6c226e766a27f7c4df781a35dd0fd9289c941b1621cca570a0eda1547cf00d111ccdc27e8086950f8e45d78821fba634
-
Filesize
776B
MD54b7fc1e905714c7f4f5aeafd9dbad7d4
SHA1fe47d5355b9c8c41dc4918ed73cb1590418dae8a
SHA256d671281d56b664c5e981a446cc9552eed28fa3031ab3f294415a0bf3808bf7db
SHA512c6d19c02649406d3816caf67344c69f23fd319140e82de4822a377e377cdf1b5b37e261b69e7dd271dd46e4fafe14fef379b02df2369251f5223c7278b77a3f0
-
Filesize
7KB
MD5404286e0cc214be383c8c544b8ca52ad
SHA1a6a4f39540d75d7f135910cd55c39833d4dea20f
SHA256d1d4f345462dc6fc9c8c9c25ddb179f22c6458144564c77b1f86f26f98bcb639
SHA512ff3d3c80b761ef90e215938cdf8f29d9d412766f926cc5104bf67af050ff777ee6ca8ad2ee3c1d65afa03e86ff655f6d0935d59ed565350f99a69392f3a97d71
-
Filesize
174KB
MD5e0fc385e5bc52f99af3f7703dbfe0406
SHA175ab2b73effe5290f0d58504080cccd3185306b5
SHA25664302243aae430bdc73fdb272c2858bf2d59615e3a6fbb787cc61d406693c882
SHA512494d07ba5339df67364f74bb647dd3983ee17cac4971ea60035cd80c6e5f401b929fa6615c465ae74764d6c4d777388ddbfb1dc10cf00749ba7ee695e2b0ca3e
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\download.7z
Filesize275KB
MD5fd1d8a9edeeb153f9e53d1e2522e3d70
SHA153807b925cfc9ad101005983cbcb98e14163353f
SHA256d8ae5a02687c2936552f691858150bf3286236bf31a6014e6655e576c55c234a
SHA5124e50a7f2b9030e607a3658942de482129a2a4cc8d965d70a46b7fefd7bbe379368846bde4c99e131035069e3f9bb86386a1797214885678354a38d13d599fcd4
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\es_MX\kdiagnostictool.qm
Filesize3KB
MD55afc7d8ba894df59c2b3f44726cfc2db
SHA1a21a7a8fd943455fa47cc5d950603bf1bc5a145a
SHA2564824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be
SHA512a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.105\mui\fr_FR\kdiagnostictool.qm
Filesize3KB
MD562f3720e184f094c874fe0eab7f0f598
SHA1cdd858a80bbd1268e7c5278ebe19c35659871d2b
SHA256bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14
SHA51214f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.123\download.7z
Filesize103KB
MD574432b07c0d487222b7e2cbf41f64cf6
SHA1f8848146f77d934e0fdc5357ae7e250f317477af
SHA2562900cd45164c200a4d9dd39f77bec89926564a87f6228fc3fee1a6058728e3f2
SHA51217cd2d8ff90f3b8dd251099cde43ceb8bb342484295a52d3f587ffad462c4fd9f6418b35452ac7075bf421fce380c75b0aea164319b7bb2db20146c3efa76f72
-
Filesize
292B
MD5da4b75c3d70c08be415e7b25abdc11cf
SHA1c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225
SHA256e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36
SHA5120fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidegopremium_xa_1.1.2024.2\download.7z
Filesize520KB
MD569f0121871c4fd001f9bf2c22c8f1852
SHA1b2155944f37f6ee42ae3b693355a9a1f93972009
SHA256f7e8bc519704a27bfdab7da117f85392c41b3300e5349c107b397405ce77f0fc
SHA512e495d74d8c6b4989dd3de5fd3d27e8f3f3af608ccec593b68fcc67f21f7879e211171c91d7e22a0fbfdb5bec80906c4c9ff1f21c8c8a71565ee9f23f521ea788
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.8\download.7z
Filesize410KB
MD51765efbf2935f90b026320f5a33bedd4
SHA1c2acad71c969dd84121d38037a28b24fdb03afb7
SHA256039acdcbf2758949a2ff728cba011ba4310303fa636ae9789b2c193ae7dbb697
SHA5129bc6e294a159a0ed82901d6b1702171d4ffd1c0a344ffdbb7d80d9a7fa111daed886d5e0f459830cb0d8602a4299fec5fbf55fb4655fe32ae9e3331cdee14ad3
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\download.7z
Filesize445KB
MD5f9ff8d5420b4e94b56438939a0e5dd44
SHA1200ed59ff1a7c7c031f40ca11fddfff1591a2b44
SHA256b693e86dc4cc14fbc3dd769fc6f74d312c05bf927dd1bf5ae338c419f853b853
SHA512dcd3bca7f2a550e13ca43f0f9af59a12b5f7f10c9762802c97c7ef308353ddb23e2b87d42d306f967beb6684f4da727a1b3785466cf2c1ee73dcd4aa8e09f3e9
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\index.html
Filesize1KB
MD566bbeb8733bee0c788685880cc46acc5
SHA107d104aa23fd4ad765095ea771667e1440ac6bca
SHA256faf96f1472b09c6eed78da690151b5b57133733e2f562dc6678602746a79342b
SHA5122d919a92b2c425d0f08d609fd825de151c5ce54cd31d83405054fa84194c85568ba512af4f1b38136c12152764ae0ae34441f36b4f23ed5ae74438502b0d1558
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.1\res\static\js\manifest.js
Filesize1KB
MD5af5a4ff62384fe67791d8cde9176ac0d
SHA1cf5aa9528fe795b75a569352466ad944652185c8
SHA2565d1122539ce1ae98804e216cbfcada9f2603fe4f86454b2b29e7d7448da97891
SHA512f78a72b7ba06b257fec3a97bb62d20f7562212e995d62438bfe3d8181fe7f56c3e14194e9203e64b0e259a7cbdd900125f5f185bc8d736c881f8ca0e2920273d
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\download.7z
Filesize3.6MB
MD5456952a0266ebde5f96cd1de8e284e9e
SHA1124d715a75496937de3761b548ea944b07ea2653
SHA256c2bf7eb754a1eb45fcbd1a1ff8aa7b022e2eb386ee6531a8729fa0e5b332ab70
SHA5126c04f5fd49d76fc7c86d188a9b664a26ea61f43b39be6d3278c1dd41d3ae58b10240a574aa0a06ec125820df11d71c3107e020ca5017038b4fed31918627f0ea
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.ttf
Filesize54KB
MD5732389ded34cb9c52dd88271f1345af9
SHA18058fc55ef8432832d0b3033680c73702562de0f
SHA256a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2
SHA512e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\premiumcode\element-icons.woff
Filesize27KB
MD5535877f50039c0cb49a6196a5b7517cd
SHA10000c4e27d38f9f8bbe4e58b5ce2477e589507a7
SHA256ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17
SHA512da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.0\resource\vippayment\assist\base64.js
Filesize6KB
MD512477cb6bc99f90086f05e54ea7dcbe8
SHA14009eefda873514a6579830888d5f12c50d7b3de
SHA2566520eca957e8a4d7e68e0dfe17f1cea9d42c6378962f454e7a911ff32e5e6248
SHA512a7a16f935d71f60bb382622ff781a3cef234865efbaef62ee268163a416bdd9ea285f33c843fb729cf8b8eb6d18a81de5311b01d19b48c998b08d79f29e59d13
-
Filesize
703B
MD50edafbd62638a75ae8b4debc9fd0b3db
SHA1814e953384ee2771bfcde0584b0f6f5691217ede
SHA2563332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8
SHA512ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.180\download.7z
Filesize22KB
MD563c4fc2706885905af8ecb9e8d6e7587
SHA1d87bc3aca0ed2f995cbe5420f9d604279c85b4df
SHA25667014918d74295a7eca03d3edd4d7d35c14271bd731ca50744649ff8a91785df
SHA512a114cba2736da1c6da68a246076b0f00c6d2596de2f596a97136054efe811e7445e66c38b4a940fd5aa2b7e23d4c8f708516821c51907c1d75e9612c872f9f78
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\download.7z
Filesize173KB
MD57be45b4650a019a60c8eae76b6e1f0b8
SHA1ddb17c729a0b515b7fbf8bfbee887746dcdfbc3b
SHA256988a9b41dba2fe2d576416c2ac9fa8c72ed9a1f541bfec4d126a209274dd812c
SHA5123551447079c21d0934828ebb769d0b4326e5d6c6552885c9824080862d09c48324210b63e25bc1041dddf8ba32528031c97e8d37bc44d78b6bf2fa7183d66905
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close-hover.svg
Filesize742B
MD52ba5639af3d54e842950dd70111494f8
SHA1f893ff8e9ea8e7df7512ca51640b3535b8d36603
SHA25634bde4a261024c7f1765684836ca58df2928d35069b9e35913a79274b22f60e6
SHA512e026d283adcd1c8f5c7a6d4e68b17754ecce0374e4fc1317ead694a078ec2268d9cdc8924fb8d2b36ce60835399598e508874e552ff74e9fa5d90fa65ddee013
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartpagebanner_1.0.2024.4\res\popupVideo\img\icon-close.svg
Filesize787B
MD5638afc2355d020561133690e6ef849bd
SHA11014cd4cc2b7647ef82044dbacaf0d6926aace7b
SHA2563b315efb51c084c848ee511dc462eca1b28a6b1c149aa4befe3b98d26281db4b
SHA512dfd817879a8e772b485d73881114a9e9bcccf29884d0f941bac614667faa4c6c38a971e4d0bb94a7390c6afb069b5bac4a20f67d347f90b5ecbf63a85ffd742b
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\download.7z
Filesize203KB
MD5047838d673c348c89a467b4c0fa4cbd0
SHA1d93a46e534422f62fec109c4098902991eb08276
SHA256a5c428cace8a68799441b01ed3ab62e528c0a1b01862c533b2d1770824dd6129
SHA5120e8c010162bd5f204824df5d9c0900199585db5a777915d36ac4fad4871210d798167ea87b2818990807ef0986c940b258643fb6cab260394497135aa402a170
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kuserinfomenu_1.1.2024.1\mui\default\icons_svg.data
Filesize39KB
MD515801a93c46565187d560863a0061791
SHA1515475c176bf8d4ea28721ad8a41a63730f64617
SHA256eb89917938b1c7f84eab66320d4424793a2eca6cce0e30ed994b7c2891bc0d48
SHA512ae5ebbf60fe06f11f0f2afc3e8c6640bf73a444c60bb9181366fe4ed80dc776c50838e6e9c56fd11fd04e166237ce742b4d6e5efcf8646bc50ea2501005c14dd
-
Filesize
56KB
MD56e2fc2eede73e3efa5fff9333ff40c9d
SHA100cc9b3c84780d65e4aa4edbb19303974e9a200d
SHA256845b89c37d4cd41b04623b5e8804d69aef323b18b1d2dcc860777e776c048012
SHA512d5c1e13d93b12ac0eed567dc0063cf83e68b9d3edd03756f0b4380521f9e974a31878c0213e81bfa38510c6016a7b71edc16bbb06bbc5ff89acbba9d8ac1d54e
-
Filesize
312B
MD5ad3a68e7d8c8bf2470282567d8ca7ded
SHA1addb5ab04165b4743ffb985918c08ba0a76a6eae
SHA25627e743bc78f9a2862d822fc171789160905ee26545466f93052f8565aebd523f
SHA512c8e4b63fb79c365cb48a0ee0c4351f6f94da9ba8ce62f0b14d8ed45726ebaa478f581efb37e254e75e1c561f5ffa1d8985e867957c68c04b8eaaa2945e838505
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\download.7z
Filesize39KB
MD57b979dd63724d952a1422473776c4757
SHA1c8b2b477d6f52ce01ebf87d1c00cd1886b3577b0
SHA2566b32a77b31621df79ae220ed6bf24558319c438230af2cf21292fdfbcb69f1e2
SHA512345eaa9f8d801670d517de34baf24114807dd5f92189744512561370627fc48468fef0e0b9718ae249715b97a8cd304bc619f97ee35adc3177c363195e6d69bc
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsinco_xa_ksolite_1.0.2024.3\run.ini
Filesize265B
MD5235c61a9b48849f011b96ad861d1606c
SHA15ca11e0f37f20499be6583d85cbbdb91419aaa89
SHA2567b304b743ca6598f385a05c8c39408ae2cd406d2190e49eaf28989059dec4492
SHA512ca75e4170f0c9842cceac6c6f69bae606ef57cb246765272d4da763cbb6d1d37dbff775a45cf592064f004d60eeee507ac04549ba91d2073113c803aa081a7c5
-
Filesize
6.7MB
MD552fa9ee47c6ce4d0daf599d851515659
SHA1f2d5bbbd452e58b999ddc13122dcb740f42c4519
SHA256f80174e11b2ce95c8325bdad9c8d69ada0835d04c6abae0a6a742566af0c5dc3
SHA512f794ead891c33dfbe072f122cb72a3cf968da4f426699937d3890d4997c01bed632b9ad7ca24561a4ed777a011eac9181b71ccaa0a8e5080b561258fa90f8954
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photoforceasso_xa_1.0.0.1\download.7z
Filesize275KB
MD5890018bbb3ab5d25a6c1737e7f128bab
SHA150f258af178afdc80bfd32b4d5ceea74eb3fb312
SHA2565f2b53d5348ee9d43f2f4eeb15443af7b236f27fd699453685c32fe98ad79e7a
SHA512cecebba4846a8bff6bfee6a0ad89361e3d39f8f2775b68dee22a0a96c1a0ee3792ce0749295a38ae6d004a60dc8a9894b935d520a651fa192a30781c8543556b
-
Filesize
311B
MD582cb83edcdc6d19d3e10dd42ede04a54
SHA13a9dd33485800ad156f7fba8c637ee59e4ba2d4d
SHA256a11a80d525c8dbadbbfa8bdcee6dc6b5d84a947d44cf0ef2ba1ed1c9b51cf392
SHA512eea882b5030d21a6c88d53afcebfc399a4523062b3d6c99aed9f7eafaff1483f0eece912f75fb11c30f48af645bfe157afd33ec8047249d3f79c39dee057d599
-
Filesize
476KB
MD541bee6b98088768aebf4fa633def79fa
SHA1384df283531623cd111f0b524105b85e27903976
SHA256daee2b78f4e2960a35a6e4de3ffa0dca8068725d0f1b18f6d48a5b06c8e71003
SHA5126d0c3cb900b00ccb48546fed9e4f633f05f5c61be55ef3f8fc8d3761acfc3d3d2728ee7fc96e5c68ec4a2ffb2531eafa9b5c48701de7feb9f404d1a6c73dc824
-
Filesize
1.1MB
MD5c2d146a5359002a751ca8ac02a2af3a7
SHA1847b3cb0ba52fe77869800accba3feef4486c2a5
SHA256e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae
SHA512de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a
-
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\api-ms-win-core-synch-l1-2-0.dll
Filesize11KB
MD5eb6f7af7eed6aa9ab03495b62fd3563f
SHA15a60eebe67ed90f3171970f8339e1404ca1bb311
SHA256148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02
SHA512a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875
-
Filesize
5.0MB
MD5677bc25f723c163aeb9408490bb6b782
SHA198f6ca86cd39c974083e4db1b0e193260cf46830
SHA25687602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb
SHA512eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3
-
Filesize
5.3MB
MD50849984cff99db55aba5d085efba5d0e
SHA1802cdd8163ba992b206c0331b4fb4644bd7ff562
SHA256e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875
SHA512cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50
-
Filesize
378KB
MD5e654635510b1aa9482796b2e543b6f9f
SHA1d3e85dc5709ff4013c9904eec579cc268bcc843b
SHA2568443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9
SHA5123b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b
-
Filesize
4.4MB
MD55545333769aa479ed5e4f23f40fccd99
SHA1c216b59399217290e9f579c1521f0b724d24bf0b
SHA256a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a
SHA512e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c
-
Filesize
445KB
MD5523c6a8629b886557c7fe84bbc1786a5
SHA10dc9d1fde374d9d5f36f78301d2ceed757ab442e
SHA2561f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854
SHA512bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082
-
Filesize
11KB
MD5cd3cec3d65ae62fdf044f720245f29c0
SHA1c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f
-
Filesize
10KB
MD5b181124928d8eb7b6caa0c2c759155cb
SHA11aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA25624ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA5122a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f
-
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
Filesize13KB
MD521519f4d5f1fea53532a0b152910ef8b
SHA17833ac2c20263c8be42f67151f9234eb8e4a5515
SHA2565fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA51297211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417
-
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
Filesize11KB
MD5b5c8334a10b191031769d5de01df9459
SHA183a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA2566c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA51259e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39
-
Filesize
11KB
MD586421619dad87870e5f3cc0beb1f7963
SHA12f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA25664eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31
-
Filesize
14KB
MD588f89d0f2bd5748ed1af75889e715e6a
SHA18ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA25602c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA5121f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df
-
Filesize
11KB
MD50979785e3ef8137cdd47c797adcb96e3
SHA14051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d
-
Filesize
12KB
MD5a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA15516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7
-
Filesize
11KB
MD5a6a9dfb31be2510f6dbfedd476c6d15a
SHA1cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec
-
Filesize
11KB
MD550b721a0c945abe3edca6bcee2a70c6c
SHA1f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840
-
Filesize
21KB
MD5461d5af3277efb5f000b9df826581b80
SHA1935b00c88c2065f98746e2b4353d4369216f1812
SHA256f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600
-
Filesize
15KB
MD54f06da894ea013a5e18b8b84a9836d5a
SHA140cf36e07b738aa8bba58bc5587643326ff412a9
SHA256876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA5121d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79
-
Filesize
16KB
MD55765103e1f5412c43295bd752ccaea03
SHA16913bf1624599e55680a0292e22c89cab559db81
SHA2568f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA5125844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0
-
Filesize
17KB
MD5f364190706414020c02cf4d531e0229d
SHA15899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e
-
Filesize
13KB
MD5d0b6a2caec62f5477e4e36b991563041
SHA18396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA51269bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc
-
Filesize
11KB
MD53dfb82541979a23a9deb5fd4dcfb6b22
SHA15da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA2560cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82
-
Filesize
2.9MB
MD524c1c69547498300c8a9fef3d49d1f5b
SHA154adfe188efa56fc52438513692c1306f2f23e52
SHA256c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8
SHA5127693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab
-
Filesize
439KB
MD55fd0772c30a923159055e87395f96d86
SHA14a20f687c84eb327e3cb7a4a60fe597666607cf3
SHA25602c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d
SHA512132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a
-
Filesize
61KB
MD5c86cfa96b6bc8d403cc27fe4bb901394
SHA1c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9
SHA256ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1
SHA51219ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a
-
Filesize
41KB
MD5daecfd1742dfdb76c6a5663c8b3577c5
SHA14857af5fc2c4b780b325682210873748448d9e76
SHA256550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294
SHA51297848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c
-
Filesize
1.3MB
MD507e26db5ff3902a3f6aa4804d030982d
SHA1dfcd419b7d1f52d55f679316110e77c66bf2d289
SHA2560d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9
SHA512d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4
-
\Users\Admin\AppData\Local\Temp\wps\~f762f79\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize146KB
MD5b6753bec77430c645682c3b705b6cc13
SHA1ac523c5a8ba93cdcccb626b359cbb061d45528ec
SHA256cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f
SHA512f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
81KB
MD5e51018e4985943c51ff91471f8906504
SHA15899aaccdb692dbdffdaa35436c47d17c130cfd0
SHA256ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d
SHA5122fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74