Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 14:48

General

  • Target

    2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe

  • Size

    5.5MB

  • MD5

    8827b26b1deb9ef9ede4fd262e8d7739

  • SHA1

    1afa3fb51f00f7912fc2d9b3b1466dbc70087e07

  • SHA256

    36b263ca84d8e15aa27c73f74bb99ffbc06fdefabc467c8a00d4eb195adbd6af

  • SHA512

    21a4305f3dd462831da894f602c0d2fdbd4c1d45f6127009d39e18b5c7f37692592786fdbf467c597ee2ba9ff40db9e122a8f4a6fec4e1c4d673abee2561dc88

  • SSDEEP

    98304:prI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/FK:KXGULEFrcPJzAxf4+FGV4

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 42 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
      C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
        "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2852
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1392
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1940
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3052
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2540
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:308
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2628
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2356
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            5⤵
              PID:2172
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:764
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2800
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:2596
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
      "C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F773A62 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\
      1⤵
      • Writes to the Master Boot Record (MBR)
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
        2⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3012
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002079 -forceperusermode
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2388
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3004
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:404
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            4⤵
              PID:996
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2252
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2640
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2844
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=1
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1752
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2660
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1816
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.00002079
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3012
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2624
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2852
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2692
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2768
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1668
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2768 /prv
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2540
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2480
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2492
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2308
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:464
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2104
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:608
          • C:\Windows\system32\regsvr32.exe
            /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
            3⤵
            • Modifies system executable filetype association
            PID:2076
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=1
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1700
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:268
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2320
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2096
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:328
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          PID:2336
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:2892
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:1608

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll

              Filesize

              1.1MB

              MD5

              f250f6f6db34808e67bc3a603312f93d

              SHA1

              9de21d268b014fd8e042699372c48696b4e824f9

              SHA256

              d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc

              SHA512

              ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

              Filesize

              334B

              MD5

              2b42be10ddde43a0b6c2e461beae293a

              SHA1

              53888c4798bc04fdfc5a266587b8dc1c4e0103f3

              SHA256

              984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

              SHA512

              be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

              Filesize

              198KB

              MD5

              b4b4c703bf5c6c0b5e9c57f05012d234

              SHA1

              929aee49e800e88b4b01f4a449fa86715d882e42

              SHA256

              910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

              SHA512

              2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

              Filesize

              434B

              MD5

              e6c8b146640faf4ce794d6acef69ae92

              SHA1

              7545235bc328a49b1304b8c6ee5663d43a53cf0f

              SHA256

              cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba

              SHA512

              f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

              Filesize

              236KB

              MD5

              c5ad1903526a9ca4c2f55cfea1e22778

              SHA1

              9c7b9ba9100a919cad272fb85ff95c4cde45de9f

              SHA256

              5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

              SHA512

              e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll

              Filesize

              1.4MB

              MD5

              bd5884a7c9cc473a229b953154a52c52

              SHA1

              28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da

              SHA256

              d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb

              SHA512

              5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscenter.exe

              Filesize

              904KB

              MD5

              93319d7add53c7c8c364012d5b61f3c6

              SHA1

              b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39

              SHA256

              9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66

              SHA512

              f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

              Filesize

              499B

              MD5

              183330feb3b9701fec096dcbfd8e67e4

              SHA1

              2f43379fefa868319a2baae7998cc62dc2fc201d

              SHA256

              ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

              SHA512

              643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

              Filesize

              675B

              MD5

              7b8a651d886d78faece08f2904580dc1

              SHA1

              b264aa3a1a9ad33ef07e86f42b9b2d15548773fa

              SHA256

              5d04fe10796cbbe7aad864bf970305edf0b9082578322513b815fb667ca9b00d

              SHA512

              ec438b640f528323504dfde42c593e563421772eb06f3e761dd3f1024077a69e7aeac9560680c215ab3d7d6af5b79d8930a8dc6cdfcf404995cebc8560b67fc6

            • C:\Users\Admin\AppData\Local\Temp\CabD339.tmp

              Filesize

              70KB

              MD5

              49aebf8cbd62d92ac215b2923fb1b9f5

              SHA1

              1723be06719828dda65ad804298d0431f6aff976

              SHA256

              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

              SHA512

              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            • C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

              Filesize

              2KB

              MD5

              e10b1d3c17333f65ef45b8e19e0117d4

              SHA1

              b5679f85070b9df6be4df7f841579f1eb9c8453e

              SHA256

              f175eb858260f5ecb93a7c2f235f078ceab429ec5069306c842aa1dcf07e56b5

              SHA512

              82c3a3ef029a9193e010ac9ad161c3fdedcfe247bcc0a0f06972137fd2f202bd768c515f667f3d9ea549dd9dc9096e2ea4bef6f608adc7bffccc9b28dc5e5770

            • C:\Users\Admin\AppData\Local\Temp\TarD36B.tmp

              Filesize

              181KB

              MD5

              4ea6026cf93ec6338144661bf1202cd1

              SHA1

              a1dec9044f750ad887935a01430bf49322fbdcb7

              SHA256

              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

              SHA512

              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            • C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\dbghelp.dll

              Filesize

              1.2MB

              MD5

              56d017aef6a7c74cd136f2390b8ea6d3

              SHA1

              46cc837c64abe4e757e66a24ece56e3f975e9ef6

              SHA256

              900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

              SHA512

              7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

            • C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm

              Filesize

              8KB

              MD5

              1a59aa4f478d8725dcf575f481946c69

              SHA1

              651aa42b7fbb7bcda13a903bfaef7c6b6046a24d

              SHA256

              52a390608b1d0dcfb2931d61a334f103aabdf3ea7651b52c96aca40fd1c1fc0b

              SHA512

              1afeeba858d0a46daa43fc52dcce711d510268f839d91152f8b7aae0c4e69652b8066ffdafde2bd4a430bf75446471bc730ce1e6d42ca04c990091f68dc1ea77

            • C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

              Filesize

              71KB

              MD5

              bf10e0c48251234d831ffcd8cca82344

              SHA1

              955d9cfa4e8dccff444a1f1ef505ccd41a75cd22

              SHA256

              1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617

              SHA512

              15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2

            • C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\pl_PL\style.xml

              Filesize

              3KB

              MD5

              034f37e6536c1430d55f64168b7e9f05

              SHA1

              dd08c0ef0d086dfbe59797990a74dab14fc850e2

              SHA256

              183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

              SHA512

              0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

            • C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\product.dat

              Filesize

              121KB

              MD5

              2e743f3067fa75ff3bcad5baafafc8ea

              SHA1

              57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff

              SHA256

              3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f

              SHA512

              39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6

            • C:\Users\Admin\AppData\Local\tempinstall.ini

              Filesize

              387B

              MD5

              c38481658f9149eba0b9b8fcbcb16708

              SHA1

              f16a40af74c0a04a331f7833251e3958d033d4da

              SHA256

              d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

              SHA512

              8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

            • C:\Users\Admin\AppData\Local\tempinstall.ini

              Filesize

              433B

              MD5

              a9519168ca6299588edf9bd39c10828a

              SHA1

              9f0635e39d50d15af39f5e2c52ad240a428b5636

              SHA256

              9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

              SHA512

              0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Y2Q0MJ9DL9TVFPKJADR.temp

              Filesize

              8KB

              MD5

              53bc32e255087d6d5252e0800930957a

              SHA1

              aa3958f4791e3fd61a16a77060e8d89e6fdbc90e

              SHA256

              f2c7f92710dc6492c360b48e2dc34dce47daab6992a236855fd9f7d4a01c9006

              SHA512

              477007f558d359d5aefebb80fba968793cf65f8651432802dff022e238fc4221f6a1146c927a7b991a9218967059f08b006599131a3f830195f10c1860a47dbd

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

              Filesize

              98KB

              MD5

              da920134e389419ded63add1e42380b5

              SHA1

              7d7758aa8d58812579abae5a14440213e224b40f

              SHA256

              07eb063ab0b88d2acc639d9af81c5b546f1e274f05828ed34fea7e284fca897d

              SHA512

              c07e8d452a5fc91ccc1164543b532ccd14ded5e61c47e36714d59dd4c9094ec00e5dd38dca70c65cd1e70e514f1779b4d45222f8530629e889cf6e0bca7d0504

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

              Filesize

              208B

              MD5

              616babe83a3c3d1c9aa5f15b788b3856

              SHA1

              d8556c51bf660f98ab4fbd37ad6c7e519ca43099

              SHA256

              8f8ad7559303db41e4a43a918d12164c15a764b74951219c5629e097bf9bca5d

              SHA512

              c661d8e9d881af0febb7b0fa2c791b04778572ee56608f519df6d3bb1b7939e046915eb6207351912230bd20ada8331b571b7a13a9545bb620b5fc58568f5d60

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log

              Filesize

              5KB

              MD5

              b76f26e22c9d76970240520f6958c999

              SHA1

              863f729cd00c96e5cce3c9db7b8558b98ac60269

              SHA256

              30fdb2ca45e2ef3c91a4f3b11be2b18d2c184b264d016f3ab08ac9c869ddf260

              SHA512

              1dd4f9cf0b9814e2cc269f51e7fe2ee5c20e3f4880d16c76e422280c2d1260d8db181740fe78a76a3eee50ecc1050ae681f64e7d17ee702ea25718519ae5da60

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              12KB

              MD5

              27a5052026ed4f87cc17d522fea07168

              SHA1

              a34b2dbbc1158c27146c93c647b7e681abc102a4

              SHA256

              fc4b07a7cc30dd966ea18e0253e7aeacc9a466ce6780302d44b9bce00c576eab

              SHA512

              868d98ea3ea0be8cc620e02ba1913534582bd6ce5a11cb12fc5d03e7dda909da9dbb47e4c0ba6a9865539c3663c2611cea668bb2a76d195a66e5fc1cd68c05af

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              13KB

              MD5

              195f6882904dbcc63f8318f1c9f56b35

              SHA1

              302564040bde06aaeb48593677c6e35e33c902d3

              SHA256

              728e8db48feed4d9b5b913a9494f009820b5a6ed514844f8318f49bb4c980da2

              SHA512

              b8719b1dc85ef948f1ffbafb5db6f7b3128e1416a5390cae049e87c8c3a0d30f09bd21c224697a21f529a79460d0494bb3eb03dcad6d297baa3e7f0f9bf8b2ff

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              31KB

              MD5

              7a096cd99096baaf15106cca4a14352f

              SHA1

              fea7d6139b699e1228f9e8fe5f902fe72d037532

              SHA256

              ed98d7cc944766b7c1a08df2e07708cddb916c6ce1cb2b22a41ca53204143030

              SHA512

              e1bd016ec35e77c206b53cd87cc2198f512ed7376982d36e3daac01314a0e4cc6f8d50a9e6ccf2c139b7bb676e694ca9579065598152a3898fa9a32f62c0a1b1

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              59KB

              MD5

              dd14b82ad87c6793abf3876df5814eb5

              SHA1

              9cbc5b7f414e1699572f764330c3b7b2deb6d6b0

              SHA256

              98f61d7d87384dca2b92cc5972d2431c8a075f49594ff4eff580490b6ba043b4

              SHA512

              39e606dc1bbc669295b081fdbe634e3794a68951fa359e505d11ff0e53ee212bf9bf57182ea73fe78ba5cca413b4a1ce80abd3052ffb650a17fdd827425452e5

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

              Filesize

              50KB

              MD5

              bde7f5d36e93c70d7be3463701de39e7

              SHA1

              cbaf07b3fb02d2e4334dd146d05c1b05ed8078bc

              SHA256

              b11a28c10011d026c785d400436c1849c97d20466c544d7b375a11edbb01dd31

              SHA512

              214f8b3f2f5a57c506f6f66d546f38df895976b825c19bb1303c4816426a9461d5a84cab299c0f12c6d55146e07e15ca8cfb23d50711c767892404834f737681

            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_10_31.log

              Filesize

              1KB

              MD5

              3bebec1b0c229badd1011498639eb038

              SHA1

              16febd26dff3686589dbf7881d95cd478bbe6c99

              SHA256

              db595c3f90958094a4e0aef9e3c6c48f5af56c8f3db58207c7943b5c59cb8f29

              SHA512

              259e4a869a2802943a4eded86e8d2317f0fc71be4e525eae725050e16fdaa52670a3f086b0ae4a49b6d5fb0918c3e2b64555b170263067fbff3b34f386475672

            • \Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

              Filesize

              3.1MB

              MD5

              7680119f3de2925404ae2615898ac605

              SHA1

              0b3f27db9fda31d2b525df17e139eff72b4a4c33

              SHA256

              fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727

              SHA512

              06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5CoreKso.dll

              Filesize

              5.0MB

              MD5

              7fc37c5552ada776f404d3679b9b0c4c

              SHA1

              9fba9ce4f16c935c5b8fbef62102cc7693b05f7c

              SHA256

              6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf

              SHA512

              d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5GuiKso.dll

              Filesize

              5.3MB

              MD5

              be1f6ac2ccea42961c970aec7c496922

              SHA1

              913e98b3d882bafd5d3ad33f06dccb33297c8668

              SHA256

              30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463

              SHA512

              d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5SvgKso.dll

              Filesize

              392KB

              MD5

              70cee47ff4ea3ebf85f954fd9e827592

              SHA1

              4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0

              SHA256

              dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422

              SHA512

              7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5WidgetsKso.dll

              Filesize

              4.5MB

              MD5

              a7d93abf2841afe86a08230fb2fc14db

              SHA1

              5b8874f7922f42dae7a9214370aef691e51d837a

              SHA256

              98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b

              SHA512

              508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5WinExtrasKso.dll

              Filesize

              217KB

              MD5

              0e15f2a1c22a7d0147ab6df139797a62

              SHA1

              0f8207e8a1c1ff692a70c1668b2bafd566ba1718

              SHA256

              6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f

              SHA512

              981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

              Filesize

              11KB

              MD5

              cd3cec3d65ae62fdf044f720245f29c0

              SHA1

              c4643779a0f0f377323503f2db8d2e4d74c738ca

              SHA256

              676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

              SHA512

              aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

              Filesize

              10KB

              MD5

              b181124928d8eb7b6caa0c2c759155cb

              SHA1

              1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

              SHA256

              24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

              SHA512

              2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

              Filesize

              13KB

              MD5

              21519f4d5f1fea53532a0b152910ef8b

              SHA1

              7833ac2c20263c8be42f67151f9234eb8e4a5515

              SHA256

              5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

              SHA512

              97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

              Filesize

              11KB

              MD5

              b5c8334a10b191031769d5de01df9459

              SHA1

              83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

              SHA256

              6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

              SHA512

              59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

              Filesize

              11KB

              MD5

              86421619dad87870e5f3cc0beb1f7963

              SHA1

              2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

              SHA256

              64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

              SHA512

              dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

              Filesize

              14KB

              MD5

              88f89d0f2bd5748ed1af75889e715e6a

              SHA1

              8ada489b9ff33530a3fb7161cc07b5b11dfb8909

              SHA256

              02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

              SHA512

              1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

              Filesize

              11KB

              MD5

              0979785e3ef8137cdd47c797adcb96e3

              SHA1

              4051c6eb37a4c0dba47b58301e63df76bff347dd

              SHA256

              d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

              SHA512

              e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

              Filesize

              12KB

              MD5

              a1b6cebd3d7a8b25b9a9cbc18d03a00c

              SHA1

              5516de099c49e0e6d1224286c3dc9b4d7985e913

              SHA256

              162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

              SHA512

              a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

              Filesize

              11KB

              MD5

              a6a9dfb31be2510f6dbfedd476c6d15a

              SHA1

              cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

              SHA256

              150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

              SHA512

              b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

              Filesize

              11KB

              MD5

              50b721a0c945abe3edca6bcee2a70c6c

              SHA1

              f35b3157818d4a5af3486b5e2e70bb510ac05eff

              SHA256

              db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

              SHA512

              ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

              Filesize

              21KB

              MD5

              461d5af3277efb5f000b9df826581b80

              SHA1

              935b00c88c2065f98746e2b4353d4369216f1812

              SHA256

              f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

              SHA512

              229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

              Filesize

              15KB

              MD5

              4f06da894ea013a5e18b8b84a9836d5a

              SHA1

              40cf36e07b738aa8bba58bc5587643326ff412a9

              SHA256

              876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

              SHA512

              1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

              Filesize

              16KB

              MD5

              5765103e1f5412c43295bd752ccaea03

              SHA1

              6913bf1624599e55680a0292e22c89cab559db81

              SHA256

              8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

              SHA512

              5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

              Filesize

              17KB

              MD5

              f364190706414020c02cf4d531e0229d

              SHA1

              5899230b0d7ad96121c3be0df99235ddd8a47dc6

              SHA256

              a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

              SHA512

              a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

              Filesize

              13KB

              MD5

              d0b6a2caec62f5477e4e36b991563041

              SHA1

              8396e1e02dace6ae4dde33b3e432a3581bc38f5d

              SHA256

              fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

              SHA512

              69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

              Filesize

              11KB

              MD5

              3dfb82541979a23a9deb5fd4dcfb6b22

              SHA1

              5da1d02b764917b38fdc34f4b41fb9a599105dd9

              SHA256

              0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

              SHA512

              f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\kpacketui.dll

              Filesize

              2.9MB

              MD5

              fb20ae8ae8b82e53f8f234c1d0c186b7

              SHA1

              c03b74f6544715b0f25d23ece700eb663b2f86fc

              SHA256

              057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503

              SHA512

              09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\msvcp140.dll

              Filesize

              427KB

              MD5

              db1e9807b717b91ac6df6262141bd99f

              SHA1

              f55b0a6b2142c210bbfeebf1bac78134acc383b2

              SHA256

              5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

              SHA512

              f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

              Filesize

              61KB

              MD5

              9d355f89a89d7837a03716b1d45dc5cc

              SHA1

              6affa5368018a5ad1ab4a68c512ed8db527dd3b4

              SHA256

              167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492

              SHA512

              76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

              Filesize

              41KB

              MD5

              10adbd3c3de885e0383a97626a71af34

              SHA1

              392329c20383249c3632dba0e42fc017a62bc081

              SHA256

              c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a

              SHA512

              e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\platforms\qwindows.dll

              Filesize

              1.3MB

              MD5

              bc21f4d77a75822b27c3d1a598e8e29e

              SHA1

              4ca0afce4ee376041058e3791c10c2309ca7eddc

              SHA256

              69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668

              SHA512

              0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

              Filesize

              145KB

              MD5

              a8492f295b92be062e26542af4d516b7

              SHA1

              2fef9e287ab6eaad60c5711f5e294cf83844399d

              SHA256

              4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597

              SHA512

              5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\ucrtbase.dll

              Filesize

              1.1MB

              MD5

              2040cdcd779bbebad36d36035c675d99

              SHA1

              918bc19f55e656f6d6b1e4713604483eb997ea15

              SHA256

              2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

              SHA512

              83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

            • \Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\vcruntime140.dll

              Filesize

              75KB

              MD5

              8fdb26199d64ae926509f5606460f573

              SHA1

              7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

              SHA256

              f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

              SHA512

              f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

            • memory/688-4432-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4437-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4439-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4438-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4436-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4435-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4430-0x000000006C500000-0x000000006C510000-memory.dmp

              Filesize

              64KB

            • memory/688-4431-0x0000000000260000-0x0000000000277000-memory.dmp

              Filesize

              92KB

            • memory/688-4434-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/688-4433-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/1392-4461-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4458-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/1392-4465-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4462-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4464-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4463-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4460-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/1392-4459-0x00000000005A0000-0x00000000005B7000-memory.dmp

              Filesize

              92KB

            • memory/2388-4329-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4319-0x000000006F720000-0x0000000070E4D000-memory.dmp

              Filesize

              23.2MB

            • memory/2388-4322-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4320-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/2388-4323-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4321-0x00000000004E0000-0x00000000004F7000-memory.dmp

              Filesize

              92KB

            • memory/2388-4328-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4327-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4326-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4325-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2388-4324-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4346-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4349-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4341-0x0000000000510000-0x0000000000527000-memory.dmp

              Filesize

              92KB

            • memory/2796-4342-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4343-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4344-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4345-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4348-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2796-4347-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/2920-205-0x0000000000490000-0x0000000000492000-memory.dmp

              Filesize

              8KB

            • memory/3004-4406-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4405-0x00000000004F0000-0x0000000000507000-memory.dmp

              Filesize

              92KB

            • memory/3004-4407-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4408-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4409-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4410-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4411-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4412-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3004-4413-0x000000006C4E0000-0x000000006C4F0000-memory.dmp

              Filesize

              64KB

            • memory/3012-4296-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4297-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4298-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4299-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4300-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4301-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4302-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4303-0x000000006C4F0000-0x000000006C500000-memory.dmp

              Filesize

              64KB

            • memory/3012-4293-0x000000006F750000-0x0000000070E7D000-memory.dmp

              Filesize

              23.2MB

            • memory/3012-4294-0x000000006C500000-0x000000006C510000-memory.dmp

              Filesize

              64KB

            • memory/3012-4295-0x0000000000430000-0x0000000000447000-memory.dmp

              Filesize

              92KB