Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 12:17

General

  • Target

    421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe

  • Size

    225.0MB

  • MD5

    d54254438c5c1d2c3cf234e583ed6c97

  • SHA1

    becbb2ef95317e5f8ae5782538364aa58b9cb980

  • SHA256

    317debaf5cd447549e448e6b929b3e2ea5ae54864b35dbb18833e7a87e6a1636

  • SHA512

    6087b1ea0e3ce1f0daeca7c42e28dfc88db80a9aad48bb7f94e736be309bd78074d4ab06ec057fc88a198f8998cc51fc08174e925ca44c54cf7b2fffeccd8da8

  • SSDEEP

    6291456:qo5Y69DnhF6Rn0lo108kbmXMdyDq/1pA0F0QkDTqaHXXbV/T:qo5Y69DnkndYJ7S0GQkZ3LV/T

Malware Config

Signatures

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
    "C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
      "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
      2⤵
      • Checks whether UAC is enabled
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4120
    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E59F8DD
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3312
    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -sendinstalldyn 5
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2724
  • C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe
    "C:\Users\Admin\AppData\Local\Temp\421b689fe070ef0f9ee9e71d4e809161-14_setup_XA_mui_Free.exe.600.1006.exe" -downpower -msgwndname=wpssetup_message_E581F5A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:5084
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\system32\regsvr32.exe
        /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kwpsmenushellext64.dll"
        3⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        PID:756
  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe" -installregister sharedMemory_message_E599522 -forceperusermode
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Registers COM server for autorun
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins.dll"
      2⤵
      • Loads dropped DLL
      PID:2344
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kmso2pdfplugins64.dll"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        PID:4044
    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" CheckService
        3⤵
        • Executes dropped EXE
        PID:1704
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.16731/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3732 /prv
        3⤵
        • Executes dropped EXE
        PID:956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
        PID:4800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5NetworkKso.dll

      Filesize

      1.1MB

      MD5

      c2d146a5359002a751ca8ac02a2af3a7

      SHA1

      847b3cb0ba52fe77869800accba3feef4486c2a5

      SHA256

      e0daa77458e3833d7dc90dc571dfe576aa08e0f7f7d9bd2ba35bf01e534d5eae

      SHA512

      de84d24894f829f72562c848c64dc7d43556f4e93706b602ff9f6d891dc8757691e0f742dbbb8125eebd069479f56f0cf7af8c04db286187f87b0eb3caa2603a

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\Qt5XmlKso.dll

      Filesize

      169KB

      MD5

      c84af4b704317c999fbcae4bfbc0d160

      SHA1

      18878298def296c5dd9cb62ec12f2d7603d2d0e7

      SHA256

      b1931aeb9a2b5af056a6875314c85e2936150bd61f536cf8e9a92424a324a29e

      SHA512

      5c60dd4f6f277543cd68d12f6ecbaa14a58fa2b6dccc111478bf6e633737f9bad072510e7250c698674baf765ebf21d8e07e4b4b74633dc0467b1a8f3e83b2e0

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kconfigcentersdk\kconfigcentersdk.dll

      Filesize

      332KB

      MD5

      a889bca455720ef0dfa30338d1a37018

      SHA1

      c49bdfdd1ce19178cb1aa83efb9f92975b1a9d25

      SHA256

      3f4e26bc93d7fc1cc54100c319a2b9d8fb83088872769b78e814980fb6f1e005

      SHA512

      9b5c8fe20debb59833f06edac5e984d53fa74f9999ffeb92b0c0f9350d3e13286e680a561bc139e5cca97e5e52a71a0f7e18cef38ba190055b186284260b20a7

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kmodule\kmodule.dll

      Filesize

      110KB

      MD5

      502c4322fc360fd8cc90f59ac863c1a3

      SHA1

      609a71a48653b68576a539a3c44ec29f50b589a2

      SHA256

      0f40c5c4d1566d7f71b122c172d4906e98190fcfc88f31c9fbebd3b4d53d6058

      SHA512

      49872e6efdd63ce7ad42232dc576ac3500dc3d2f2cace4aedfaf2ab9f2af78b80defa424586dd85122b8d88bd898c3f2f72bcb0bf6ee12f611698f4f4029b2f3

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\kwpsaigc\mui\pt_BR\kwpsaigc.qm

      Filesize

      334B

      MD5

      2b42be10ddde43a0b6c2e461beae293a

      SHA1

      53888c4798bc04fdfc5a266587b8dc1c4e0103f3

      SHA256

      984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

      SHA512

      be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

      Filesize

      198KB

      MD5

      b4b4c703bf5c6c0b5e9c57f05012d234

      SHA1

      929aee49e800e88b4b01f4a449fa86715d882e42

      SHA256

      910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

      SHA512

      2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\oem.ini

      Filesize

      67B

      MD5

      223673e5e8d77083765b70ddf7a0f7f6

      SHA1

      3b5c4d6304ed6ada0ec607f44a2aace24ec16126

      SHA256

      9089b4fee2d7596812c52f11dbc9855ca5b2b1ff0a9dc237fe630722b10ddc82

      SHA512

      62f5a40fc698de593bf29c3ab4d278d798bdc6e65693ca30f85506c95f408f17a00da048e42a23dd5702fe322066a87374cfeb0942d15f3fc791639aab924f52

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\cfgs\setup.cfg

      Filesize

      433B

      MD5

      1c1eb59705cc6888811f3019aa3be6dc

      SHA1

      561a22bb405b8e77cfa062dcbb8ce2589b23bd46

      SHA256

      82602748b45b6a64ac854f1168604051292f8c14838b9dff5a804138f21600dc

      SHA512

      17ceae557b779ab759e741a5bffbee50d35fbd1ab76bfb36c5c28d4bc33155f9e719a5eabf9593083593fbfa7f3037fd1621553fbf8c5ea391e8c82be118103b

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\kbase.dll

      Filesize

      55KB

      MD5

      575b0151a48a719119888cef4f7fca12

      SHA1

      f39c1765f8edf0105722e1443c24de32e25d9de0

      SHA256

      a789830df17282311db67dae1130e95988b78b1942667b5b13f2ef9e96c0ac2b

      SHA512

      9831cdfcad069880ba6a772c078d2285bd9a44be80a8ad91df2d01120fededd0526c7ad5a74b78a7cd731b3e54df16ee4f1eaeecb3cde07a1c944aae98920a07

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krpt.dll

      Filesize

      86KB

      MD5

      1b75b61532d7793afd8f87ecf476e58b

      SHA1

      ab906eb2a3f0d18fb77ef6ecaf91550f23cb951d

      SHA256

      9472440cbcac55b57f3bba8d166e051d81447097496bd51af86b5d943416d74b

      SHA512

      8ee2d375d1370286c976758c793dcdc9c5568a6f91cbe3c667820e8dfc95a609402ed3d054fad56acd2d4fefc106e0ac9a627b2c26120a2b9d13b7ce99fc6172

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\krt.dll

      Filesize

      947KB

      MD5

      dbb70fbe46aa5c9a1c174e56a43f4068

      SHA1

      e2f0f0f2306cb863cbde6228660a17a98e632bf3

      SHA256

      3e487777a70672ab2792510e39925e6ca96593394cb02c94737d1d1d648a2ced

      SHA512

      82b586c10248ba65445eaf23418ce68b1f52266d855c2514883d73a04e36baa42773f61018e042406f05d474cf8f7d697802362da21125868c80c62385a81d78

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolite.dll

      Filesize

      9.3MB

      MD5

      152a690c0d8050b22bde17abd3806345

      SHA1

      38fd488acab1dbdcc66d88ebec03215c1f0ede85

      SHA256

      4347c6c4c88c47306731390d5f6085f86eb9d9e1dfcc0058daf8a9efbbe912ed

      SHA512

      e6558db247c05c7843ca050b3ec1bb3d533d5d1597d2fcab36c5eafd621f62ff280d759d6856ce75ed96dd6dbb0127a19a4ee64a0dc58131cfefe57b88404798

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksolog.dll

      Filesize

      211KB

      MD5

      bb63628c0cc81ff45adb3214342e066e

      SHA1

      5bb812cad46effac16d0def3eb7014a1f6d3a8b6

      SHA256

      e796227cb887b8b29d0530817ece2290f42ea491b11561ecdb2ad705e43f67c2

      SHA512

      a090823be81e4d300fea093be7680b12a9970890de64f27af83375bdf5e869c2d10fb2d3d10fa991ce113c6186e30dc59855b1dedd0c5a399b517a3e7841fe6d

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\ksomisc.exe

      Filesize

      3.0MB

      MD5

      20704171f1c20337f7348ae4dab809bf

      SHA1

      c0a8e284cab4e843bfd9cea49e221efabc971596

      SHA256

      03d1cf8f9801abf3f1a10ccba0a3b64f38ee209b4ce84c0b8e6bc72c35f61a7e

      SHA512

      47b791b8e8ca250f041390a72d0d0bdf4ca3115cff579e649eb45181b2d898dc664e7d53273e46230440b3428c613bc30fc7a6818bbd17daa635e2ef5e0e1b0e

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

      Filesize

      236KB

      MD5

      c5ad1903526a9ca4c2f55cfea1e22778

      SHA1

      9c7b9ba9100a919cad272fb85ff95c4cde45de9f

      SHA256

      5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

      SHA512

      e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt.conf

      Filesize

      271B

      MD5

      351fdc16f8e5ec3105aeb289397a06bc

      SHA1

      115bcf3e66703597ef4fb42acbdf3be37fff221b

      SHA256

      b54bcf83fa006bf38dc845507e31dd5ae559ed68d45acc12ae1561142661a7d8

      SHA512

      4cb802df20b51b5bac7ac78f983c191c9c81541204b7ee30683ff55f65694926d144b8003cc504e9c8f16da92ef5d17d5d904050e7915a6615f7c62abec38cae

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\qt\plugins\platforms\qdirect2d.dll

      Filesize

      1.4MB

      MD5

      39f7a2e4e5493a25ff8597413372d8d7

      SHA1

      4dab1118b5b962f1dc89fa29c5f10c8bd7d1fce1

      SHA256

      6b9428e6c7563b32481cb9bbb15e9126376bd123b213b94b6cdf82409a5b57d8

      SHA512

      80063b8e9f8e328e8746f6f8b9c73bafb0bfd9c89d0743da186de193c3676d7702fa1ecd82fa547d5628f4e4b96c3869bb7521f25bf2843d260dc0339480147a

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\office6\wpscloudsvr.exe

      Filesize

      957KB

      MD5

      2ce8dfb2a53e622411af4f8078d1535f

      SHA1

      ec2e4fa3911958d1ff23ed65b0b0f97e2aff7225

      SHA256

      90331a4a32a588f26eb815ee41f3f21d6e8d4c97bb6e33736e536e263f8bd747

      SHA512

      d6383ec1ae71a9a79f21dcb0a8bf7b75f2ed027cef756fb7cff2be35f02d220c8cdf9008ef7a6f938490490254a6d5b446480cf05a86b8afe5c1fc13c9036882

    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.16731\utility\install.ini

      Filesize

      499B

      MD5

      183330feb3b9701fec096dcbfd8e67e4

      SHA1

      2f43379fefa868319a2baae7998cc62dc2fc201d

      SHA256

      ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

      SHA512

      643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

    • C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

      Filesize

      2KB

      MD5

      a40d9fb446109cd0282a38d38b987da2

      SHA1

      213da77bc57b07a7658bd37b4bae0ffca625882e

      SHA256

      257d0f177c98ec9578f33932f692c5637cb6ee3310c3e5bf9b9966c37ed46eae

      SHA512

      9e64041c459edbfa7c7e9e9dab53282432aeebfe02ee32e104babee285db6c22363692fea108c775f038ebaa1834dab6ec823c3706acf7008a56d8c554cd3c49

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5CoreKso.dll

      Filesize

      5.0MB

      MD5

      677bc25f723c163aeb9408490bb6b782

      SHA1

      98f6ca86cd39c974083e4db1b0e193260cf46830

      SHA256

      87602cf0eeb30d81ad5b257c83931959e8d841e07ee81cdb093092b267c21abb

      SHA512

      eafacc95444a89448396cb94a52628bb573d562429f4368552d4bafc5323333ddd7473fcf315e012b768fe92ced00ad20c2f5138dbb1eb2f560020d5a1ffe7e3

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5GuiKso.dll

      Filesize

      5.3MB

      MD5

      0849984cff99db55aba5d085efba5d0e

      SHA1

      802cdd8163ba992b206c0331b4fb4644bd7ff562

      SHA256

      e277f4876e73b81abbd09f6f1f5965adf50a458ebd3dcddd98f3f8a145a0f875

      SHA512

      cf6295bed846c41e899446ec8520a6ed1d7ca522b092bf234aa7912b8797a519501c5fb519b6888a65516c5923b74ad6674bd009c7672880fbb27762b1426b50

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5SvgKso.dll

      Filesize

      378KB

      MD5

      e654635510b1aa9482796b2e543b6f9f

      SHA1

      d3e85dc5709ff4013c9904eec579cc268bcc843b

      SHA256

      8443816d6e933358cdfaa82ac3e75758347d31d02a0ea23c71899c875b2069d9

      SHA512

      3b119df0b7d058f47834259a907ae3e132936d2897dbc178eb425a16948c47c15f5126eff3cc5ef306b2ba967063dcf7e5d0066c9102aeec214b12d692d0be8b

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WidgetsKso.dll

      Filesize

      4.4MB

      MD5

      5545333769aa479ed5e4f23f40fccd99

      SHA1

      c216b59399217290e9f579c1521f0b724d24bf0b

      SHA256

      a076e1fea2fa579e647968a25c96c7a472d279883fdf25a0dc6345ed6ee5829a

      SHA512

      e3520b4e544e0b3a3d9d2404d63423968b8c5e3426e88ca71e2d1743520e6ec81464baa2b01fc6199e1004d5496c7d49944d7b4cea84edab384decab3a27202c

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\Qt5WinExtrasKso.dll

      Filesize

      445KB

      MD5

      523c6a8629b886557c7fe84bbc1786a5

      SHA1

      0dc9d1fde374d9d5f36f78301d2ceed757ab442e

      SHA256

      1f3f02f173bfdb534b642e54356d4ea5a9f95a50d8cd49f45b5d30dc8e77c854

      SHA512

      bbcd8c1bbd3a02ea3e535ccf27f998a51885d05202331a5387cd76abee16247bc8ed63be08f9fe445ca4622a59e85bb7b20cd9f7b622937a17e93247e8585082

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\dbghelp.dll

      Filesize

      1.2MB

      MD5

      dcd7b4b0bd0fc4c5f243c1a95cdc040d

      SHA1

      573a66056afd4c069d3a9e62bf3b68c7d7e4fcbf

      SHA256

      9e6ed09af796b01f6ac2bcfa210be10558effe750ad41b8ca852bf8de2a25ea7

      SHA512

      ff336d34dd5146bfe624de62c59cc77eae39489d5fd1a79a1f42bbe4787549c13613463d56a8433a9dcf2d991aa078e20ced695a960d3f056137e845f15b7849

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\kpacketui.dll

      Filesize

      2.9MB

      MD5

      24c1c69547498300c8a9fef3d49d1f5b

      SHA1

      54adfe188efa56fc52438513692c1306f2f23e52

      SHA256

      c548c442d41c9ebd90fd22f4248097c857455f05a51125f00f10ab8a2e058cd8

      SHA512

      7693251d2dcac0efc8156a94957bf4be9492f3e179692fbe82c30d9fcc6e37771b79f569024a21545299cbc2081aefdd544388b42d635d99f0ff7c7fcdab20ab

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\msvcp140.dll

      Filesize

      439KB

      MD5

      5fd0772c30a923159055e87395f96d86

      SHA1

      4a20f687c84eb327e3cb7a4a60fe597666607cf3

      SHA256

      02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

      SHA512

      132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

      Filesize

      61KB

      MD5

      c86cfa96b6bc8d403cc27fe4bb901394

      SHA1

      c7abcc4df6b149ce9fd04597bab5a2a7d85b53a9

      SHA256

      ebfe0b2f1ec1d2330329f533d27225a7dde70711b718b71638aab753727f4fb1

      SHA512

      19ff68d0e52e856178974e6af89269bbcbd47090caea7964c3c1e8fdba0d340a730b6415aba17c1a66cbf685de8b76a98fd68aaaa78c887e9298c187579e118a

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

      Filesize

      41KB

      MD5

      daecfd1742dfdb76c6a5663c8b3577c5

      SHA1

      4857af5fc2c4b780b325682210873748448d9e76

      SHA256

      550f635c1c6610b07af9177df139b914d1f42299ed8f75f2dc0f9ac3e2a96294

      SHA512

      97848b03260c4306f93339096c4e2d0c5e20715580267c29a1fff16df1056f11662dd2e21bbe85a34d2b07f9806820d1badd043065692699db622e6dfaabd02c

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\platforms\qwindows.dll

      Filesize

      1.3MB

      MD5

      07e26db5ff3902a3f6aa4804d030982d

      SHA1

      dfcd419b7d1f52d55f679316110e77c66bf2d289

      SHA256

      0d55c384a68fd74df4034250ad60e04de00f072221e95d79ed71a0373db224b9

      SHA512

      d9d7576f20664600d44f63db99ef23d7a5d03d85d4e7403d4787ee709d63665e52e35f0e2e8abe4c2a5c4db040bd0de4530ff2d87d3fe9ae2df2abaa433e11a4

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

      Filesize

      70KB

      MD5

      12f25aa0d20ffb93e3090157102e08bf

      SHA1

      5a6144e0b6fce079a83becb5c1f81a0f719a5e99

      SHA256

      e5f45a8bd92387d17668e5d792604818de865b0113366006658ca4a64d1c87f0

      SHA512

      884de26e86eccee05b7c7a56f2848f18e6cef783b80d704c89189cb8fff6e4edd258b64d3ed69db9ae40e2c1131b0a251af741d86fed58b8ecf10a9401762ac9

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

      Filesize

      146KB

      MD5

      b6753bec77430c645682c3b705b6cc13

      SHA1

      ac523c5a8ba93cdcccb626b359cbb061d45528ec

      SHA256

      cd950cc5dc9cb3d6634c93c53d044021df14460b7ba25464a2f23389e49ae10f

      SHA512

      f753c6f3945c3b85460486309bf8d63aa8432fc6acd9be5808f1fdb8b79effcc518245054b14ba0acbe3397145facad3a30d576149dffa344a2823d58a2149fc

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\ucrtbase.dll

      Filesize

      1.1MB

      MD5

      2040cdcd779bbebad36d36035c675d99

      SHA1

      918bc19f55e656f6d6b1e4713604483eb997ea15

      SHA256

      2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

      SHA512

      83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\office6\vcruntime140.dll

      Filesize

      81KB

      MD5

      e51018e4985943c51ff91471f8906504

      SHA1

      5899aaccdb692dbdffdaa35436c47d17c130cfd0

      SHA256

      ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

      SHA512

      2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\pl_PL\style.xml

      Filesize

      3KB

      MD5

      034f37e6536c1430d55f64168b7e9f05

      SHA1

      dd08c0ef0d086dfbe59797990a74dab14fc850e2

      SHA256

      183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

      SHA512

      0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

    • C:\Users\Admin\AppData\Local\Temp\wps\~e581cca\CONTROL\product.dat

      Filesize

      111KB

      MD5

      275e4919bf12383eeaae2e35f1aedca2

      SHA1

      d63a89631852f77f4de039ee5ffd8b46b10e044c

      SHA256

      d8dc6cf4f19c29825a6da3b4ec663e36de45b1cc17b9b410025b10725f170072

      SHA512

      b0ca06ebef74c65e7ea7b1d0cc4c250f45134e195a822f8614d6ccb397805166b0399f4057d561e39ea996ab94a7dad40ed637766b781baad3db9af9926f6a9e

    • C:\Users\Admin\AppData\Local\tempinstall.ini

      Filesize

      382B

      MD5

      6a5eea749583001de63b993fc66496ba

      SHA1

      fd41691ec4751e85be89917d46454f8533800b4e

      SHA256

      bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60

      SHA512

      6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

    • C:\Users\Admin\AppData\Local\tempinstall.ini

      Filesize

      428B

      MD5

      5e1b68b67986b1588301c0135f19fc7c

      SHA1

      957ea47285f7d903cce7530ee34852435de5b5b4

      SHA256

      23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc

      SHA512

      268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B23SUCL7IXVLUCX9QF1X.temp

      Filesize

      8KB

      MD5

      0dcdf4b7a84a3f63ec4fc93281076a84

      SHA1

      9bb55ae32f0060be23d49379ac7aba0d9a5fd72e

      SHA256

      550302e5ff6e6a665c70a436e78b1998aba04db213e0a8f4e8acd5b3bdba4f70

      SHA512

      013838caf860a2e8007de4d22d6c6b62c65f6587465a49b0dda71ddada6355ba587e5483d848b4cb02cc8da8cdb31b109af8aedbeec7a45c81c9688bae977d54

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_06_11.log

      Filesize

      6KB

      MD5

      5d49031a8e5556c1212c2c9c9b1359f3

      SHA1

      7cfd7a8d3c16c33652c924febbd9b082cb487f31

      SHA256

      40dfc5aa5c5bc5d903a345b31a24a047573fc37e518239e6905d6cd5560e83ee

      SHA512

      f2bf7801078b03bb5a596c650d5c22b0468dde4e25657160001a8425dae92f517369893b7d09e0ac99d730a7692352f56ef5de0bcfde12e91533d97ae489e97f

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      11KB

      MD5

      2526c946e9972c8e6ff274e8ccc0ac23

      SHA1

      d5615abfc489a34b9349d0d5146fee740b0548d6

      SHA256

      591cf4a6833cf16b24a441f439600804f5e2192f7985d92bbdf7dc66957b7c5c

      SHA512

      8dc93feeeafe0f97a2e6b46086641bf8e59b51a77b827143247c9b6fcaf7b0782ca7c73ab478b5e7478a82c39bf683f5720d6ac6aabb3ee5cdadf8f24bbaf42b

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      13KB

      MD5

      fd4d0094156b509e2c262432683c58e6

      SHA1

      3a1a2cc2e919055827503971b9788f70a8aba3fd

      SHA256

      bd03b5cd2a15cec78ee6ec93e1d77e6b5e0fd7dddfd1af24aee14e6114336c40

      SHA512

      eb5d8d061387f6375080a497482a90807a25f27a31495d19c82760be8d5b3afb9e875e76872d1b2ba02936dc7f56bd610707eb6899a0e95d2a529ad28c76181f

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      29KB

      MD5

      4e564b66f5d80f10a9f3b214d9910e51

      SHA1

      b695971b2975e2a5456a1508f305eb4c675bd508

      SHA256

      0c5ebb0c7b662c4837dd80f93dccf173d4bda54cfbc896e9a80bdcda8bb15f63

      SHA512

      b3b5488d372efe41e76b9e20425494439f9fef79bda3185f5e3ed31fba2886b40c86773c97fbdc61a0625b30e0d55071c42b3a0cab92e309a1550e00d0186242

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      48KB

      MD5

      acefde25e6466512a9b74f3977cd7a85

      SHA1

      514e11525e2db7ed1e696aeff899dfc0b09e7ded

      SHA256

      46cfef693f457047ec3ef407b0b4dce36a71a13af67a7eeb9963518926d6433d

      SHA512

      dd46c10f34e7fff2643c5d0e7a10fdac200038339815fd5b54887037ba7ac2ec31435f17a2903e610ae741675d80d9cdf851bc7a94c97119c8de212f57817c72

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

      Filesize

      48KB

      MD5

      753cf983e32fb977ed61377d3dda0d72

      SHA1

      bed93f092da03dc86bf9071ff238df8551c556a2

      SHA256

      ed6bab0aa9432787be9260382f5702e7ee2f020dd9fe201d075826fbe3ebf37e

      SHA512

      4bd88ae89aa9a96e5cedb7d59a99a149b889a0ae5f3f69031042b7c6a03ef7cfee07b21c702da5de9aa3f9b0e1c16287567602a3c4adf9608472bfd6521f69e5

    • memory/956-4327-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB

    • memory/956-4328-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/2344-4061-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

      Filesize

      64KB

    • memory/2344-4062-0x000000006DB60000-0x000000006DB70000-memory.dmp

      Filesize

      64KB

    • memory/2448-3977-0x0000000037A40000-0x0000000037A50000-memory.dmp

      Filesize

      64KB

    • memory/2448-3986-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB

    • memory/2448-4000-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/2724-4230-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB

    • memory/2724-4233-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/3312-4073-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB

    • memory/3312-4075-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/3732-4325-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB

    • memory/3732-4326-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/4044-4063-0x00007FF7C23F0000-0x00007FF7C2400000-memory.dmp

      Filesize

      64KB

    • memory/4044-4064-0x00007FF7C2490000-0x00007FF7C24A0000-memory.dmp

      Filesize

      64KB

    • memory/5084-4239-0x000000006C7F0000-0x000000006F7E6000-memory.dmp

      Filesize

      48.0MB

    • memory/5084-4237-0x000000006FA40000-0x0000000070389000-memory.dmp

      Filesize

      9.3MB