Analysis

  • max time kernel
    111s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 13:48

General

  • Target

    wps_lid.lid-e8BnL2v7Bbrm.exe

  • Size

    5.5MB

  • MD5

    f4adec8ff71b27363ad91be552df4f1e

  • SHA1

    374f3f3c88856eb4965474a48a7ec75f4e8c2de0

  • SHA256

    7be6628a085b244b6478dd8bf1a6074aa83fea23671d70662a50aa8b5292fe56

  • SHA512

    690a9622a5fe3d1f96efefcd753395557b6254a71c7dbce82e447cfe3fbfbc18781cb94477bf75504722ca66b3999c6d5b37c2ecc69be3cdb32760f497ed777e

  • SSDEEP

    98304:hrI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4sdw0dGzB/1X:iXGULEFrcPJzAxf4+FGVF

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 37 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe
    "C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-e8BnL2v7Bbrm.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
      C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
        "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1616
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3236
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5068
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:748
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4152
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4244
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4468
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4428
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1904
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            5⤵
              PID:3420
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:440
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2316
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4316
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe
      "C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.600.1018.exe" -downpower -installCallByOnlineSetup -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E580D59 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\
      1⤵
      • Writes to the Master Boot Record (MBR)
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
        2⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:116
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00600.00001018 -forceperusermode
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:752
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1240
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3256
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:876
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            4⤵
              PID:3144
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -uncompatiblemso
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1908
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:400
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00600.00001018
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4508
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1956
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:3236
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4392
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3520
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=4392 /prv
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1084
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5016
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3992
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2468
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4820
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:876
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2544
          • C:\Windows\system32\regsvr32.exe
            /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
            3⤵
            • Modifies system executable filetype association
            PID:4932
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5012
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2776
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3764
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2012
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:972
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1656
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2980

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll

              Filesize

              1.1MB

              MD5

              f250f6f6db34808e67bc3a603312f93d

              SHA1

              9de21d268b014fd8e042699372c48696b4e824f9

              SHA256

              d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc

              SHA512

              ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5XmlKso.dll

              Filesize

              170KB

              MD5

              3e08e7ca30a665c5f0f9cf14e269f028

              SHA1

              dcc612f071c7c7349ee0240291ff8bbf4a8a0c46

              SHA256

              b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834

              SHA512

              0f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

              Filesize

              334B

              MD5

              2b42be10ddde43a0b6c2e461beae293a

              SHA1

              53888c4798bc04fdfc5a266587b8dc1c4e0103f3

              SHA256

              984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

              SHA512

              be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

              Filesize

              198KB

              MD5

              b4b4c703bf5c6c0b5e9c57f05012d234

              SHA1

              929aee49e800e88b4b01f4a449fa86715d882e42

              SHA256

              910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

              SHA512

              2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

              Filesize

              434B

              MD5

              e6c8b146640faf4ce794d6acef69ae92

              SHA1

              7545235bc328a49b1304b8c6ee5663d43a53cf0f

              SHA256

              cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba

              SHA512

              f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kbase.dll

              Filesize

              177KB

              MD5

              d84cb177f4720bed63a55f8072e368eb

              SHA1

              82c2caad9184fb2adbfb6a278d082cc1eb7852f8

              SHA256

              9995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a

              SHA512

              f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kdownload.dll

              Filesize

              434KB

              MD5

              abf5ef5de210be0fd2c2a55ee365919b

              SHA1

              6a9104f07a773bed0de1dc3c6774683acc293a87

              SHA256

              064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292

              SHA512

              4fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kprometheus.dll

              Filesize

              7.1MB

              MD5

              86110ee28cdb72aed1ec60ade94aeb56

              SHA1

              61457137d8748d477e2e7052c61d8c5b97dd2b70

              SHA256

              9fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75

              SHA512

              04700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll

              Filesize

              1.1MB

              MD5

              fd7ef27a8780754d160ee2f70780e62f

              SHA1

              41c463d3a38704a2e3b83d01e73f225f14c1e219

              SHA256

              bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd

              SHA512

              2801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll

              Filesize

              23.1MB

              MD5

              8603a85045dee666f1d6005d9a2971e5

              SHA1

              1b4ed0a58d4fd64a6053ad5182bbae332eadde9d

              SHA256

              ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a

              SHA512

              4d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kso.dll

              Filesize

              24.7MB

              MD5

              a5ecce5a776b0bae9c2cea3a0e42bf91

              SHA1

              9b0fcacd05b782d2d80dacde5b81c99ad3570935

              SHA256

              1374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d

              SHA512

              e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksolite.dll

              Filesize

              9.9MB

              MD5

              9792e7046e96eef015b554282242434a

              SHA1

              87205b343319d7e65a532bc3f696c5719b3d7161

              SHA256

              5e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39

              SHA512

              18bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

              Filesize

              3.1MB

              MD5

              7680119f3de2925404ae2615898ac605

              SHA1

              0b3f27db9fda31d2b525df17e139eff72b4a4c33

              SHA256

              fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727

              SHA512

              06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksouil.dll

              Filesize

              1.8MB

              MD5

              aaa222915e0c9c32406b8b963019f97b

              SHA1

              3e45dc1d0b2d1ad602644bf349b3463b0c0f8f70

              SHA256

              32067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942

              SHA512

              656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcrypto-kso-1_1.dll

              Filesize

              2.6MB

              MD5

              40e03f699a98ce5b07529824c1a894d2

              SHA1

              9e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0

              SHA256

              fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc

              SHA512

              8b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcurl.dll

              Filesize

              513KB

              MD5

              ee36a69232c862b84bbab1b5b60817a6

              SHA1

              760e9635292bf68f5a2fd692395c9fb2f8372ad4

              SHA256

              94101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601

              SHA512

              205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libssl-kso-1_1.dll

              Filesize

              565KB

              MD5

              9a1e1d44af39f2b63ca7939041095b37

              SHA1

              52f5ee389357b73c7d7c97399cb736070515e434

              SHA256

              60930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44

              SHA512

              1d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

              Filesize

              236KB

              MD5

              c5ad1903526a9ca4c2f55cfea1e22778

              SHA1

              9c7b9ba9100a919cad272fb85ff95c4cde45de9f

              SHA256

              5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

              SHA512

              e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll

              Filesize

              1.4MB

              MD5

              bd5884a7c9cc473a229b953154a52c52

              SHA1

              28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da

              SHA256

              d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb

              SHA512

              5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscloudsvr.exe

              Filesize

              904KB

              MD5

              93319d7add53c7c8c364012d5b61f3c6

              SHA1

              b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39

              SHA256

              9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66

              SHA512

              f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

              Filesize

              499B

              MD5

              2bbf97f08f6d2bb9323e95798ef64240

              SHA1

              0890b2b6c733ca6f5d0442e82824dfdfe449ae70

              SHA256

              9c73fc25f37b3bfcfb26916ae16248998651b3d0ca66b23d5230638ab10ddd26

              SHA512

              c983538513eebffee2910292c0a515bfc2eb8c70561bb1c4cc1ac77b98a4d18e153e2b8a3d4c06ee2c58cfd0e25148c5cdefe8cfb6939470c779c314ab2f5286

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

              Filesize

              675B

              MD5

              4c95f9ec17b9318ee8d1cb648da2981b

              SHA1

              877b245c238652e9fd36843f147213ec057e3b22

              SHA256

              2fa8deca3405b33a023a1c0372ccf9a341ae6711c960e5d224be57dacbbc5473

              SHA512

              b8e2451a1f2bf0b9f362607e5ad36c41f8c902db8c643b968a8b6249065468d354ad6d6bb3519429ef59aa850e1b28d9f53f0ee0db1711f74d570ed1a7e50560

            • C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

              Filesize

              2KB

              MD5

              45efecdc0729a7263c2062e90f003668

              SHA1

              d24e3bb9147e099b7c3efe2b0632f8b25449d752

              SHA256

              04490307a6b66e98703097d2190ed12d9485237ebdc38ddfa190a7c7e8883b80

              SHA512

              708f3ea98e9923a91f1e2e7656cbbb0d4753f3860858c01f6e08b0688b317a60b234abf26e4e1c7818f005194b6ad54f25f8e49e77550785ff56e798f6f3b19a

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5CoreKso.dll

              Filesize

              5.0MB

              MD5

              7fc37c5552ada776f404d3679b9b0c4c

              SHA1

              9fba9ce4f16c935c5b8fbef62102cc7693b05f7c

              SHA256

              6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf

              SHA512

              d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5GuiKso.dll

              Filesize

              5.3MB

              MD5

              be1f6ac2ccea42961c970aec7c496922

              SHA1

              913e98b3d882bafd5d3ad33f06dccb33297c8668

              SHA256

              30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463

              SHA512

              d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5SvgKso.dll

              Filesize

              392KB

              MD5

              70cee47ff4ea3ebf85f954fd9e827592

              SHA1

              4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0

              SHA256

              dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422

              SHA512

              7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WidgetsKso.dll

              Filesize

              4.5MB

              MD5

              a7d93abf2841afe86a08230fb2fc14db

              SHA1

              5b8874f7922f42dae7a9214370aef691e51d837a

              SHA256

              98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b

              SHA512

              508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\Qt5WinExtrasKso.dll

              Filesize

              217KB

              MD5

              0e15f2a1c22a7d0147ab6df139797a62

              SHA1

              0f8207e8a1c1ff692a70c1668b2bafd566ba1718

              SHA256

              6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f

              SHA512

              981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\dbghelp.dll

              Filesize

              1.2MB

              MD5

              56d017aef6a7c74cd136f2390b8ea6d3

              SHA1

              46cc837c64abe4e757e66a24ece56e3f975e9ef6

              SHA256

              900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

              SHA512

              7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\kpacketui.dll

              Filesize

              2.9MB

              MD5

              fb20ae8ae8b82e53f8f234c1d0c186b7

              SHA1

              c03b74f6544715b0f25d23ece700eb663b2f86fc

              SHA256

              057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503

              SHA512

              09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\msvcp140.dll

              Filesize

              427KB

              MD5

              db1e9807b717b91ac6df6262141bd99f

              SHA1

              f55b0a6b2142c210bbfeebf1bac78134acc383b2

              SHA256

              5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

              SHA512

              f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

              Filesize

              61KB

              MD5

              9d355f89a89d7837a03716b1d45dc5cc

              SHA1

              6affa5368018a5ad1ab4a68c512ed8db527dd3b4

              SHA256

              167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492

              SHA512

              76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

              Filesize

              41KB

              MD5

              10adbd3c3de885e0383a97626a71af34

              SHA1

              392329c20383249c3632dba0e42fc017a62bc081

              SHA256

              c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a

              SHA512

              e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\platforms\qwindows.dll

              Filesize

              1.3MB

              MD5

              bc21f4d77a75822b27c3d1a598e8e29e

              SHA1

              4ca0afce4ee376041058e3791c10c2309ca7eddc

              SHA256

              69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668

              SHA512

              0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

              Filesize

              71KB

              MD5

              bf10e0c48251234d831ffcd8cca82344

              SHA1

              955d9cfa4e8dccff444a1f1ef505ccd41a75cd22

              SHA256

              1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617

              SHA512

              15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

              Filesize

              145KB

              MD5

              a8492f295b92be062e26542af4d516b7

              SHA1

              2fef9e287ab6eaad60c5711f5e294cf83844399d

              SHA256

              4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597

              SHA512

              5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\ucrtbase.dll

              Filesize

              1.1MB

              MD5

              2040cdcd779bbebad36d36035c675d99

              SHA1

              918bc19f55e656f6d6b1e4713604483eb997ea15

              SHA256

              2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

              SHA512

              83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\office6\vcruntime140.dll

              Filesize

              75KB

              MD5

              8fdb26199d64ae926509f5606460f573

              SHA1

              7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

              SHA256

              f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

              SHA512

              f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\pl_PL\style.xml

              Filesize

              3KB

              MD5

              034f37e6536c1430d55f64168b7e9f05

              SHA1

              dd08c0ef0d086dfbe59797990a74dab14fc850e2

              SHA256

              183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

              SHA512

              0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

            • C:\Users\Admin\AppData\Local\Temp\wps\~e580a7b\CONTROL\product.dat

              Filesize

              121KB

              MD5

              2e743f3067fa75ff3bcad5baafafc8ea

              SHA1

              57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff

              SHA256

              3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f

              SHA512

              39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6

            • C:\Users\Admin\AppData\Local\tempinstall.ini

              Filesize

              433B

              MD5

              a9519168ca6299588edf9bd39c10828a

              SHA1

              9f0635e39d50d15af39f5e2c52ad240a428b5636

              SHA256

              9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

              SHA512

              0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OMPWCK99M99VXFNE9EXF.temp

              Filesize

              8KB

              MD5

              d441203f5878a3fc9d8c34593f0f7813

              SHA1

              e0719b239d88110c800becef39633380ba4cfb34

              SHA256

              d9a1c08afae47f51cda671e1b64cbfdf4b8a589137ba36dad2565cd6f7f69803

              SHA512

              e6bb92c9ffc9ea3a0c321ef6317a382a331a64f6624c52a8e7a7a8e96c9283d8f43bf8b00f9d5339cf3ce888536488c041f3a898f92810f8ea9bb8ced6a1ee59

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data

              Filesize

              99KB

              MD5

              273bd5d82655736c4452392841ab4e90

              SHA1

              f172408b3d70d7b188565151ba50a5438da0d19a

              SHA256

              c50163066783d9057accbc6d4d777e3aa7cfb0112a5ec042159b7558708dfd49

              SHA512

              5878d3657ff3004be5e3c1a4b4cdb4ec4c46a710d94ed4859adcd9097dc2216c03c4d363f6652c0254642635f1f49ad77523ac5e4d5f74e1877e32c6aa1b23f5

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

              Filesize

              208B

              MD5

              70c5ed133a3a62a1d90b9b9bb92dcce8

              SHA1

              01f4606b61d4a0bf2bada83253a7e3421cd1d984

              SHA256

              cafa4364f2f855ba9a90e4aa73521e2c240eb8c9b7bef0c26b9fc4d3bde52205

              SHA512

              d6e04930efab9c79b27163827f3a70631081c2af4addfc3db5605ab552b89d5865b351e070602b6bcd0a43bdf0b20819e6a1edeb182d797b8c8ea82fe17c1cc1

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log

              Filesize

              5KB

              MD5

              3e398d35b4d70deb9a11723f87f16bba

              SHA1

              a9099d3335ff70f5207100a1849c1adde38fc8f5

              SHA256

              3954b70096baef07ea9005eaabe7ce571d2752616ac093aacf8a4c71aaa49dc5

              SHA512

              4b0912d97334d5e06259ceeac94e02c54ba4d2574f59921d5a7344f41e93e4e81cd168a315d050a4f481826f62d0e755822f461c8fc5dbd864f2a481e15b5d21

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              12KB

              MD5

              76ad8bf279bac89f0599663026a51f7c

              SHA1

              69fcebfd94e71b0a1e835dae3568998c8d065887

              SHA256

              02e35d84d642896469cc98c67855c933bcad3be1606bbde8245d823e440bde8a

              SHA512

              fea8d111ca51d99d8bdaf2532bbdba0188e982cd93fc4fed1351315280bd46e1cf8b459d1b5c010b7fd26bb185a0418ceb29aae5925b03c021eda94b512fa73c

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              12KB

              MD5

              67cf06f0ba5cc0c1c61fa1186cd74dc9

              SHA1

              7e65178bb7bc25648c1e2a878c9125a77cb2e1ac

              SHA256

              1c33bff5e914871d7b878f9b87f9e954a21b9d2928e0f043f86bec1da3642bc7

              SHA512

              4d5633c68d877822217f0c8905ca47d699957f1c3ddea4beda90f99cecc008efc5d1479174323df6b6a5b5c97b253de60cf5d8daa10e92cb5976320e315d618c

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              31KB

              MD5

              72b05f245adb276b0f3d0d33538746b0

              SHA1

              4004a460f423c7e82b1e9fec8c65c08add01e6b1

              SHA256

              40574347d79c88e7aa5cd7d0395da34308de4f6a4dfc77c1c7284044dbdea2b4

              SHA512

              f37e1e33fee32718485e0691632531729ac664a493aca8075af2d343ff5d202b80569dd1147cc9f2ed5759f8ef8f97cd32e127e5fdba9047d5be5432e5c3b911

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              50KB

              MD5

              ce4033c39c486996f0027a298d1cb7c1

              SHA1

              0cef1d7e017e85103ebc8425f1d88ee7f5a93ea0

              SHA256

              643db8a9793128c212c42a07e06d3f6d112c7f18079b60ec4d75ee51357f52ab

              SHA512

              10f38442420513641850744a4274ea63ba44d85559ffbe40259408f78c298e6e5e57496f3ae15db09967c0ed1357a11c3ea8ebdf56e492d84c0ae723fce7b3df

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              59KB

              MD5

              4e9ed521a91269d67115addf1a648d12

              SHA1

              2be37c06d38a2786e3711f54e4cdd8f03fe7d63a

              SHA256

              a71a5494aa56f0f81dfc2734f4e78ec815e08eee5c60c0e196515651f95654a6

              SHA512

              aa425370ab62b4df13d9471b507ca1adef7c52a73ea03d6850a3e8a56399d1ad6d5022059969d6ce1e91de9971ac41bc1ff3edd079dd1456844a5ac8c5f362a9

            • memory/116-4335-0x000000006E760000-0x000000006F147000-memory.dmp

              Filesize

              9.9MB

            • memory/116-4362-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4356-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4357-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4378-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

              Filesize

              92KB

            • memory/116-4358-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4359-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4360-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4355-0x000000006B970000-0x000000006B980000-memory.dmp

              Filesize

              64KB

            • memory/116-4363-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4364-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4365-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4354-0x000000006F5D0000-0x0000000070CFD000-memory.dmp

              Filesize

              23.2MB

            • memory/116-4361-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/116-4353-0x000000006BD50000-0x000000006C473000-memory.dmp

              Filesize

              7.1MB

            • memory/752-4381-0x000000006E250000-0x000000006EC37000-memory.dmp

              Filesize

              9.9MB

            • memory/752-4387-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4386-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4385-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4382-0x000000006EC40000-0x000000007036D000-memory.dmp

              Filesize

              23.2MB

            • memory/752-4388-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4389-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4390-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4391-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4392-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4393-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4394-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/752-4383-0x000000006BD50000-0x000000006C473000-memory.dmp

              Filesize

              7.1MB

            • memory/752-4430-0x00000000035E0000-0x00000000035F7000-memory.dmp

              Filesize

              92KB

            • memory/1240-4420-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4419-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4418-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4406-0x000000006EC40000-0x000000007036D000-memory.dmp

              Filesize

              23.2MB

            • memory/1240-4417-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4407-0x000000006BD50000-0x000000006C473000-memory.dmp

              Filesize

              7.1MB

            • memory/1240-4421-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4422-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4423-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4405-0x000000006E250000-0x000000006EC37000-memory.dmp

              Filesize

              9.9MB

            • memory/1240-4426-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4425-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/1240-4424-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4476-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4471-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4478-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4475-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4474-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4473-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4472-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4479-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4467-0x000000006EC40000-0x000000007036D000-memory.dmp

              Filesize

              23.2MB

            • memory/3256-4477-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/3256-4492-0x0000000003520000-0x0000000003537000-memory.dmp

              Filesize

              92KB

            • memory/3256-4466-0x000000006E250000-0x000000006EC37000-memory.dmp

              Filesize

              9.9MB

            • memory/3256-4468-0x000000006BD50000-0x000000006C473000-memory.dmp

              Filesize

              7.1MB

            • memory/3256-4470-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/4440-4497-0x000000006E250000-0x000000006EC37000-memory.dmp

              Filesize

              9.9MB

            • memory/4440-4500-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/4440-4501-0x000000006B960000-0x000000006B970000-memory.dmp

              Filesize

              64KB

            • memory/4440-4498-0x000000006BD50000-0x000000006C473000-memory.dmp

              Filesize

              7.1MB