Analysis Overview
SHA256
36b263ca84d8e15aa27c73f74bb99ffbc06fdefabc467c8a00d4eb195adbd6af
Threat Level: Shows suspicious behavior
The file 2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
Modifies system executable filetype association
Checks installed software on the system
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Checks whether UAC is enabled
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 14:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 14:48
Reported
2024-10-31 14:51
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\lnkfile\ShellEx | C:\Windows\system32\regsvr32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7759D313-9C91-46E3-BF38-3B6E68E0B1C9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\Verb\ | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002445A-0000-0000-C000-000000000046}\ = "AutoRecover" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\SystemFileAssociations\.xls | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002097C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020915-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5E9A888C-E5DC-4DCB-8308-3C91FB61E6F4}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020953-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020954-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{E598E358-2852-42D4-8775-160BD91B7244}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002092D-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0399-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00024471-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024413-0000-0000-C000-000000000046}\ = "AppEvents" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024496-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Word.RTF.8\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\wpsofficeicon.dll,11" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{55F88890-7708-11D1-ACEB-006008961DA5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{44720440-94BF-4940-926D-4F38FECF2A48}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020852-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{0002086D-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0391-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataLabel" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000208BA-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002446F-0000-0000-C000-000000000046}\ = "Diagram" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C032E-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C03D6-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{B9F1A4E2-0D0A-43B7-8495-139E7ACBD840}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{B65AD801-ABAF-11D0-BB8B-00A0C90F2744}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000209C5-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{EEE00915-E393-11D1-BB03-00C04FB6C4A6}\TypeLib\Version = "5.3" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024491-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{00020981-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244C7-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{A537E638-AB2A-4308-A502-2EFF280C6E98}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020918-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244C6-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00024464-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002441D-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000244DB-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020858-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002445A-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\KET.Template\CurVer\ = "KET.Template.9" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000244D3-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244AB-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C0371-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{000244E8-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{4265ED97-A922-4CA4-8CD8-99684CCA9CDB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ = "Shapes" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{91493494-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\ = "FilterEffect" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000208C3-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\ET.AddInMacroEnabled | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{000C035A-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{F743EDD0-9B97-4B09-89CC-77BE19B51481}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{00020875-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{0002446C-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F773A62 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002079 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.00002079
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2768 /prv
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| US | 8.8.8.8:53 | params.wps.com | udp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 104.16.83.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 8.8.8.8:53 | abtest-api.wps.com | udp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | dyn.kingsoftstore.com | udp |
| US | 54.201.20.89:443 | dyn.kingsoftstore.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\pl_PL\style.xml
| MD5 | 034f37e6536c1430d55f64168b7e9f05 |
| SHA1 | dd08c0ef0d086dfbe59797990a74dab14fc850e2 |
| SHA256 | 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384 |
| SHA512 | 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 27a5052026ed4f87cc17d522fea07168 |
| SHA1 | a34b2dbbc1158c27146c93c647b7e681abc102a4 |
| SHA256 | fc4b07a7cc30dd966ea18e0253e7aeacc9a466ce6780302d44b9bce00c576eab |
| SHA512 | 868d98ea3ea0be8cc620e02ba1913534582bd6ce5a11cb12fc5d03e7dda909da9dbb47e4c0ba6a9865539c3663c2611cea668bb2a76d195a66e5fc1cd68c05af |
memory/2920-205-0x0000000000490000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 195f6882904dbcc63f8318f1c9f56b35 |
| SHA1 | 302564040bde06aaeb48593677c6e35e33c902d3 |
| SHA256 | 728e8db48feed4d9b5b913a9494f009820b5a6ed514844f8318f49bb4c980da2 |
| SHA512 | b8719b1dc85ef948f1ffbafb5db6f7b3128e1416a5390cae049e87c8c3a0d30f09bd21c224697a21f529a79460d0494bb3eb03dcad6d297baa3e7f0f9bf8b2ff |
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\product.dat
| MD5 | 2e743f3067fa75ff3bcad5baafafc8ea |
| SHA1 | 57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff |
| SHA256 | 3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f |
| SHA512 | 39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | c38481658f9149eba0b9b8fcbcb16708 |
| SHA1 | f16a40af74c0a04a331f7833251e3958d033d4da |
| SHA256 | d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2 |
| SHA512 | 8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 7a096cd99096baaf15106cca4a14352f |
| SHA1 | fea7d6139b699e1228f9e8fe5f902fe72d037532 |
| SHA256 | ed98d7cc944766b7c1a08df2e07708cddb916c6ce1cb2b22a41ca53204143030 |
| SHA512 | e1bd016ec35e77c206b53cd87cc2198f512ed7376982d36e3daac01314a0e4cc6f8d50a9e6ccf2c139b7bb676e694ca9579065598152a3898fa9a32f62c0a1b1 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | a9519168ca6299588edf9bd39c10828a |
| SHA1 | 9f0635e39d50d15af39f5e2c52ad240a428b5636 |
| SHA256 | 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3 |
| SHA512 | 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
| MD5 | b181124928d8eb7b6caa0c2c759155cb |
| SHA1 | 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a |
| SHA256 | 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77 |
| SHA512 | 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 86421619dad87870e5f3cc0beb1f7963 |
| SHA1 | 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2 |
| SHA256 | 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab |
| SHA512 | dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
| MD5 | cd3cec3d65ae62fdf044f720245f29c0 |
| SHA1 | c4643779a0f0f377323503f2db8d2e4d74c738ca |
| SHA256 | 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141 |
| SHA512 | aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b5c8334a10b191031769d5de01df9459 |
| SHA1 | 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969 |
| SHA256 | 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d |
| SHA512 | 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 21519f4d5f1fea53532a0b152910ef8b |
| SHA1 | 7833ac2c20263c8be42f67151f9234eb8e4a5515 |
| SHA256 | 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1 |
| SHA512 | 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\kpacketui.dll
| MD5 | fb20ae8ae8b82e53f8f234c1d0c186b7 |
| SHA1 | c03b74f6544715b0f25d23ece700eb663b2f86fc |
| SHA256 | 057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503 |
| SHA512 | 09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 0e15f2a1c22a7d0147ab6df139797a62 |
| SHA1 | 0f8207e8a1c1ff692a70c1668b2bafd566ba1718 |
| SHA256 | 6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f |
| SHA512 | 981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5GuiKso.dll
| MD5 | be1f6ac2ccea42961c970aec7c496922 |
| SHA1 | 913e98b3d882bafd5d3ad33f06dccb33297c8668 |
| SHA256 | 30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463 |
| SHA512 | d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5CoreKso.dll
| MD5 | 7fc37c5552ada776f404d3679b9b0c4c |
| SHA1 | 9fba9ce4f16c935c5b8fbef62102cc7693b05f7c |
| SHA256 | 6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf |
| SHA512 | d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 3dfb82541979a23a9deb5fd4dcfb6b22 |
| SHA1 | 5da1d02b764917b38fdc34f4b41fb9a599105dd9 |
| SHA256 | 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb |
| SHA512 | f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 461d5af3277efb5f000b9df826581b80 |
| SHA1 | 935b00c88c2065f98746e2b4353d4369216f1812 |
| SHA256 | f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf |
| SHA512 | 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0979785e3ef8137cdd47c797adcb96e3 |
| SHA1 | 4051c6eb37a4c0dba47b58301e63df76bff347dd |
| SHA256 | d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257 |
| SHA512 | e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5SvgKso.dll
| MD5 | 70cee47ff4ea3ebf85f954fd9e827592 |
| SHA1 | 4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0 |
| SHA256 | dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422 |
| SHA512 | 7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d0b6a2caec62f5477e4e36b991563041 |
| SHA1 | 8396e1e02dace6ae4dde33b3e432a3581bc38f5d |
| SHA256 | fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf |
| SHA512 | 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a1b6cebd3d7a8b25b9a9cbc18d03a00c |
| SHA1 | 5516de099c49e0e6d1224286c3dc9b4d7985e913 |
| SHA256 | 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362 |
| SHA512 | a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 50b721a0c945abe3edca6bcee2a70c6c |
| SHA1 | f35b3157818d4a5af3486b5e2e70bb510ac05eff |
| SHA256 | db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d |
| SHA512 | ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 88f89d0f2bd5748ed1af75889e715e6a |
| SHA1 | 8ada489b9ff33530a3fb7161cc07b5b11dfb8909 |
| SHA256 | 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc |
| SHA512 | 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5765103e1f5412c43295bd752ccaea03 |
| SHA1 | 6913bf1624599e55680a0292e22c89cab559db81 |
| SHA256 | 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4 |
| SHA512 | 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f364190706414020c02cf4d531e0229d |
| SHA1 | 5899230b0d7ad96121c3be0df99235ddd8a47dc6 |
| SHA256 | a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2 |
| SHA512 | a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a6a9dfb31be2510f6dbfedd476c6d15a |
| SHA1 | cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7 |
| SHA256 | 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c |
| SHA512 | b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 4f06da894ea013a5e18b8b84a9836d5a |
| SHA1 | 40cf36e07b738aa8bba58bc5587643326ff412a9 |
| SHA256 | 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732 |
| SHA512 | 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | a7d93abf2841afe86a08230fb2fc14db |
| SHA1 | 5b8874f7922f42dae7a9214370aef691e51d837a |
| SHA256 | 98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b |
| SHA512 | 508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9 |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | bc21f4d77a75822b27c3d1a598e8e29e |
| SHA1 | 4ca0afce4ee376041058e3791c10c2309ca7eddc |
| SHA256 | 69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668 |
| SHA512 | 0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | a8492f295b92be062e26542af4d516b7 |
| SHA1 | 2fef9e287ab6eaad60c5711f5e294cf83844399d |
| SHA256 | 4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597 |
| SHA512 | 5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 10adbd3c3de885e0383a97626a71af34 |
| SHA1 | 392329c20383249c3632dba0e42fc017a62bc081 |
| SHA256 | c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a |
| SHA512 | e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b |
\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | 9d355f89a89d7837a03716b1d45dc5cc |
| SHA1 | 6affa5368018a5ad1ab4a68c512ed8db527dd3b4 |
| SHA256 | 167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492 |
| SHA512 | 76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | bde7f5d36e93c70d7be3463701de39e7 |
| SHA1 | cbaf07b3fb02d2e4334dd146d05c1b05ed8078bc |
| SHA256 | b11a28c10011d026c785d400436c1849c97d20466c544d7b375a11edbb01dd31 |
| SHA512 | 214f8b3f2f5a57c506f6f66d546f38df895976b825c19bb1303c4816426a9461d5a84cab299c0f12c6d55146e07e15ca8cfb23d50711c767892404834f737681 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
| MD5 | c5ad1903526a9ca4c2f55cfea1e22778 |
| SHA1 | 9c7b9ba9100a919cad272fb85ff95c4cde45de9f |
| SHA256 | 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334 |
| SHA512 | e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
| MD5 | b4b4c703bf5c6c0b5e9c57f05012d234 |
| SHA1 | 929aee49e800e88b4b01f4a449fa86715d882e42 |
| SHA256 | 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b |
| SHA512 | 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
| MD5 | 2b42be10ddde43a0b6c2e461beae293a |
| SHA1 | 53888c4798bc04fdfc5a266587b8dc1c4e0103f3 |
| SHA256 | 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b |
| SHA512 | be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
| MD5 | bd5884a7c9cc473a229b953154a52c52 |
| SHA1 | 28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da |
| SHA256 | d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb |
| SHA512 | 5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df |
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
| MD5 | 7680119f3de2925404ae2615898ac605 |
| SHA1 | 0b3f27db9fda31d2b525df17e139eff72b4a4c33 |
| SHA256 | fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727 |
| SHA512 | 06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg
| MD5 | e6c8b146640faf4ce794d6acef69ae92 |
| SHA1 | 7545235bc328a49b1304b8c6ee5663d43a53cf0f |
| SHA256 | cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba |
| SHA512 | f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll
| MD5 | f250f6f6db34808e67bc3a603312f93d |
| SHA1 | 9de21d268b014fd8e042699372c48696b4e824f9 |
| SHA256 | d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc |
| SHA512 | ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | dd14b82ad87c6793abf3876df5814eb5 |
| SHA1 | 9cbc5b7f414e1699572f764330c3b7b2deb6d6b0 |
| SHA256 | 98f61d7d87384dca2b92cc5972d2431c8a075f49594ff4eff580490b6ba043b4 |
| SHA512 | 39e606dc1bbc669295b081fdbe634e3794a68951fa359e505d11ff0e53ee212bf9bf57182ea73fe78ba5cca413b4a1ce80abd3052ffb650a17fdd827425452e5 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 183330feb3b9701fec096dcbfd8e67e4 |
| SHA1 | 2f43379fefa868319a2baae7998cc62dc2fc201d |
| SHA256 | ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475 |
| SHA512 | 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471 |
memory/3012-4294-0x000000006C500000-0x000000006C510000-memory.dmp
memory/3012-4293-0x000000006F750000-0x0000000070E7D000-memory.dmp
memory/3012-4303-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4302-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4301-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4300-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4299-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4298-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4297-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4296-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/3012-4295-0x0000000000430000-0x0000000000447000-memory.dmp
memory/2388-4321-0x00000000004E0000-0x00000000004F7000-memory.dmp
memory/2388-4329-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4328-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4327-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4326-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4325-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4324-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4323-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4319-0x000000006F720000-0x0000000070E4D000-memory.dmp
memory/2388-4322-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2388-4320-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/2796-4345-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4344-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4343-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4342-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4341-0x0000000000510000-0x0000000000527000-memory.dmp
memory/2796-4349-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4348-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4347-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/2796-4346-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscenter.exe
| MD5 | 93319d7add53c7c8c364012d5b61f3c6 |
| SHA1 | b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39 |
| SHA256 | 9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66 |
| SHA512 | f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log
| MD5 | b76f26e22c9d76970240520f6958c999 |
| SHA1 | 863f729cd00c96e5cce3c9db7b8558b98ac60269 |
| SHA256 | 30fdb2ca45e2ef3c91a4f3b11be2b18d2c184b264d016f3ab08ac9c869ddf260 |
| SHA512 | 1dd4f9cf0b9814e2cc269f51e7fe2ee5c20e3f4880d16c76e422280c2d1260d8db181740fe78a76a3eee50ecc1050ae681f64e7d17ee702ea25718519ae5da60 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data
| MD5 | da920134e389419ded63add1e42380b5 |
| SHA1 | 7d7758aa8d58812579abae5a14440213e224b40f |
| SHA256 | 07eb063ab0b88d2acc639d9af81c5b546f1e274f05828ed34fea7e284fca897d |
| SHA512 | c07e8d452a5fc91ccc1164543b532ccd14ded5e61c47e36714d59dd4c9094ec00e5dd38dca70c65cd1e70e514f1779b4d45222f8530629e889cf6e0bca7d0504 |
memory/3004-4413-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4412-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4411-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4410-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4409-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4408-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4407-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4406-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/3004-4405-0x00000000004F0000-0x0000000000507000-memory.dmp
memory/688-4439-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4438-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4437-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4436-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4435-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4434-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4433-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4432-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/688-4431-0x0000000000260000-0x0000000000277000-memory.dmp
memory/688-4430-0x000000006C500000-0x000000006C510000-memory.dmp
memory/1392-4458-0x000000006C4F0000-0x000000006C500000-memory.dmp
memory/1392-4465-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4464-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4463-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4462-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4461-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4460-0x000000006C4E0000-0x000000006C4F0000-memory.dmp
memory/1392-4459-0x00000000005A0000-0x00000000005B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2
| MD5 | 616babe83a3c3d1c9aa5f15b788b3856 |
| SHA1 | d8556c51bf660f98ab4fbd37ad6c7e519ca43099 |
| SHA256 | 8f8ad7559303db41e4a43a918d12164c15a764b74951219c5629e097bf9bca5d |
| SHA512 | c661d8e9d881af0febb7b0fa2c791b04778572ee56608f519df6d3bb1b7939e046915eb6207351912230bd20ada8331b571b7a13a9545bb620b5fc58568f5d60 |
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
| MD5 | e10b1d3c17333f65ef45b8e19e0117d4 |
| SHA1 | b5679f85070b9df6be4df7f841579f1eb9c8453e |
| SHA256 | f175eb858260f5ecb93a7c2f235f078ceab429ec5069306c842aa1dcf07e56b5 |
| SHA512 | 82c3a3ef029a9193e010ac9ad161c3fdedcfe247bcc0a0f06972137fd2f202bd768c515f667f3d9ea549dd9dc9096e2ea4bef6f608adc7bffccc9b28dc5e5770 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Y2Q0MJ9DL9TVFPKJADR.temp
| MD5 | 53bc32e255087d6d5252e0800930957a |
| SHA1 | aa3958f4791e3fd61a16a77060e8d89e6fdbc90e |
| SHA256 | f2c7f92710dc6492c360b48e2dc34dce47daab6992a236855fd9f7d4a01c9006 |
| SHA512 | 477007f558d359d5aefebb80fba968793cf65f8651432802dff022e238fc4221f6a1146c927a7b991a9218967059f08b006599131a3f830195f10c1860a47dbd |
C:\Users\Admin\AppData\Local\Temp\CabD339.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD36B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_10_31.log
| MD5 | 3bebec1b0c229badd1011498639eb038 |
| SHA1 | 16febd26dff3686589dbf7881d95cd478bbe6c99 |
| SHA256 | db595c3f90958094a4e0aef9e3c6c48f5af56c8f3db58207c7943b5c59cb8f29 |
| SHA512 | 259e4a869a2802943a4eded86e8d2317f0fc71be4e525eae725050e16fdaa52670a3f086b0ae4a49b6d5fb0918c3e2b64555b170263067fbff3b34f386475672 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 7b8a651d886d78faece08f2904580dc1 |
| SHA1 | b264aa3a1a9ad33ef07e86f42b9b2d15548773fa |
| SHA256 | 5d04fe10796cbbe7aad864bf970305edf0b9082578322513b815fb667ca9b00d |
| SHA512 | ec438b640f528323504dfde42c593e563421772eb06f3e761dd3f1024077a69e7aeac9560680c215ab3d7d6af5b79d8930a8dc6cdfcf404995cebc8560b67fc6 |
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\dbghelp.dll
| MD5 | 56d017aef6a7c74cd136f2390b8ea6d3 |
| SHA1 | 46cc837c64abe4e757e66a24ece56e3f975e9ef6 |
| SHA256 | 900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920 |
| SHA512 | 7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49 |
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm
| MD5 | 1a59aa4f478d8725dcf575f481946c69 |
| SHA1 | 651aa42b7fbb7bcda13a903bfaef7c6b6046a24d |
| SHA256 | 52a390608b1d0dcfb2931d61a334f103aabdf3ea7651b52c96aca40fd1c1fc0b |
| SHA512 | 1afeeba858d0a46daa43fc52dcce711d510268f839d91152f8b7aae0c4e69652b8066ffdafde2bd4a430bf75446471bc730ce1e6d42ca04c990091f68dc1ea77 |
C:\Users\Admin\AppData\Local\Temp\wps\~f7737d2\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
| MD5 | bf10e0c48251234d831ffcd8cca82344 |
| SHA1 | 955d9cfa4e8dccff444a1f1ef505ccd41a75cd22 |
| SHA256 | 1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617 |
| SHA512 | 15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 14:48
Reported
2024-10-31 14:51
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext | C:\Windows\system32\regsvr32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00024475-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000CD102-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209BD-0000-0000-C000-000000000046}\ = "Mailer" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024433-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000209E8-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{F08B45F1-8F23-4156-9D63-1820C0ED229A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{3E061A7E-67AD-4EAA-BC1E-55057D5E596F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{0002E11A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.SLK\shell | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209C6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00020989-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020979-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002441D-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00020960-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209A7-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002449A-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000208D9-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002087F-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.Xlsm.6\shell | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.3\0 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002449A-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024452-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{0002084C-0000-0000-C000-000000000046}\ = "DisplayUnitLabel" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000208BA-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C0318-0000-0000-C000-000000000046}\ = "ShapeNode" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000209E6-0000-0000-C000-000000000046}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0C6FA8CA-E65F-4FC7-AB8F-20729EECBB14}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020937-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\DocObject\ | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000244B6-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C171C-0000-0000-C000-000000000046}\ = "ChartFillFormat" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020954-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C033D-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{36162C62-B59A-4278-AF3D-F2AC1EB999D9}\ = "LeaderLines" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{91493450-5A91-11CF-8700-00AA0060263B} | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002E176-0000-0000-C000-000000000046}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ET.Backup\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\wps.exe\" /prometheus /et \"%1\"" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C03CF-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C037D-0000-0000-C000-000000000046}\ = "SharedWorkspaceFolder" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000209F7-0000-0000-C000-000000000046}\ = "ApplicationEvents" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WPS.PIC.orf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.2.0.18607\\office6\\photolaunch.exe\" /photo /view \"%1\"" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000C0340-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\KWPS.Document.9\shell\print | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\PowerPoint.Template.8\DefaultIcon\.ksobak | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{5C635788-CFAC-4149-A9C3-589AC69C6207}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ksoqing\shell\open | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{86488FB4-9633-4C93-8057-FC1FA7A847AE}\ = "ChartGroup" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{00024475-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{91493459-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{0002441C-0000-0000-C000-000000000046}\TypeLib\ = "{45541000-5750-5300-4B49-4E47534F4655}" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{000244CC-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface\{000C0376-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{00020975-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ = "TableBackground" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "3.0" | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\FlightRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TrustedDevices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\SystemCertificates\TestSignRoot | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs | C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_8827b26b1deb9ef9ede4fd262e8d7739_avoslocker_hijackloader_magniber_revil.exe"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2079.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E581A2A -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002079 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.00002079
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=5112 /prv
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Windows\system32\regsvr32.exe
/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=1
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\SysWOW64\openwith.exe"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| FR | 90.84.175.86:443 | api.wps.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.175.84.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.84.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | params.wps.com | udp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 104.16.84.69:443 | wdl1.pcfg.cache.wpscdn.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| FR | 90.84.175.86:443 | params.wps.com | tcp |
| US | 8.8.8.8:53 | abtest-api.wps.com | udp |
| FR | 90.84.175.86:443 | abtest-api.wps.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movip.wps.com | udp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| US | 8.8.8.8:53 | dyn.kingsoftstore.com | udp |
| US | 54.201.20.89:443 | dyn.kingsoftstore.com | tcp |
| US | 8.8.8.8:53 | 89.20.201.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movip.wps.com | udp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| FR | 90.84.175.86:443 | movip.wps.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\pl_PL\style.xml
| MD5 | 034f37e6536c1430d55f64168b7e9f05 |
| SHA1 | dd08c0ef0d086dfbe59797990a74dab14fc850e2 |
| SHA256 | 183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384 |
| SHA512 | 0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | fdbb706b75c988ba70502dfdd3345e6c |
| SHA1 | a426f055aaaa4bbbf1bb85a45a408e706a40b41b |
| SHA256 | f7e9782ac429ef5fba4978a8d414d53a7ecf736c56051267d2576dfa3cb9c259 |
| SHA512 | 7dc8e20318a14b8df568e58894ab7e7a730005ea6b0e02a551adbb9b6777e3c448893b65c1325b06c7c62f7d466061bb353bb60eac97cfb8d9413d504fd9e627 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 9f7a1db7d1ffd171dbe61205fd88fde4 |
| SHA1 | 52bc2b6315420f43a5afc2d12762bfd974ed39c2 |
| SHA256 | 8178732e5ca7bdaf9d2efda7d9a9c8b0db8ec1fe4b40dcf6440eaca88a81b209 |
| SHA512 | ea4534a485fdcf7cf188777530194355f81a83f39020ad56a9d8868f43c09a25d776c753ed06bdaa14214f308e4651654694008c1a5b08b9cb3fac6db2101ad0 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\product.dat
| MD5 | 2e743f3067fa75ff3bcad5baafafc8ea |
| SHA1 | 57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff |
| SHA256 | 3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f |
| SHA512 | 39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6 |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | c38481658f9149eba0b9b8fcbcb16708 |
| SHA1 | f16a40af74c0a04a331f7833251e3958d033d4da |
| SHA256 | d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2 |
| SHA512 | 8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce |
C:\Users\Admin\AppData\Local\tempinstall.ini
| MD5 | a9519168ca6299588edf9bd39c10828a |
| SHA1 | 9f0635e39d50d15af39f5e2c52ad240a428b5636 |
| SHA256 | 9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3 |
| SHA512 | 0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 4376903a154c82b4cdaa6b0727ed8da9 |
| SHA1 | d6a8d55c9a113c127e380332fa5f14f7b90b6fdc |
| SHA256 | 8523e7c2789c8662a70ddbe38024cf7b2c926410d56c8c71fa3930ba50e3a3d8 |
| SHA512 | ae3bf3f03bd55e3d590bd81deec679f7ef64bc04596d4b5c1c38fea5f2342a3244749b0a35612d7df0563aecbc3449cef897fb1ae7e015bd0f31a41edad02c78 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\kpacketui.dll
| MD5 | fb20ae8ae8b82e53f8f234c1d0c186b7 |
| SHA1 | c03b74f6544715b0f25d23ece700eb663b2f86fc |
| SHA256 | 057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503 |
| SHA512 | 09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\Qt5WidgetsKso.dll
| MD5 | a7d93abf2841afe86a08230fb2fc14db |
| SHA1 | 5b8874f7922f42dae7a9214370aef691e51d837a |
| SHA256 | 98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b |
| SHA512 | 508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\Qt5SvgKso.dll
| MD5 | 70cee47ff4ea3ebf85f954fd9e827592 |
| SHA1 | 4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0 |
| SHA256 | dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422 |
| SHA512 | 7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\vcruntime140.dll
| MD5 | 8fdb26199d64ae926509f5606460f573 |
| SHA1 | 7d7d8849e7c77af3042a6f54bdf2bb303d7cd678 |
| SHA256 | f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c |
| SHA512 | f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\msvcp140.dll
| MD5 | db1e9807b717b91ac6df6262141bd99f |
| SHA1 | f55b0a6b2142c210bbfeebf1bac78134acc383b2 |
| SHA256 | 5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86 |
| SHA512 | f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\Qt5GuiKso.dll
| MD5 | be1f6ac2ccea42961c970aec7c496922 |
| SHA1 | 913e98b3d882bafd5d3ad33f06dccb33297c8668 |
| SHA256 | 30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463 |
| SHA512 | d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\Qt5CoreKso.dll
| MD5 | 7fc37c5552ada776f404d3679b9b0c4c |
| SHA1 | 9fba9ce4f16c935c5b8fbef62102cc7693b05f7c |
| SHA256 | 6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf |
| SHA512 | d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\Qt5WinExtrasKso.dll
| MD5 | 0e15f2a1c22a7d0147ab6df139797a62 |
| SHA1 | 0f8207e8a1c1ff692a70c1668b2bafd566ba1718 |
| SHA256 | 6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f |
| SHA512 | 981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\platforms\qwindows.dll
| MD5 | bc21f4d77a75822b27c3d1a598e8e29e |
| SHA1 | 4ca0afce4ee376041058e3791c10c2309ca7eddc |
| SHA256 | 69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668 |
| SHA512 | 0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
| MD5 | a8492f295b92be062e26542af4d516b7 |
| SHA1 | 2fef9e287ab6eaad60c5711f5e294cf83844399d |
| SHA256 | 4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597 |
| SHA512 | 5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
| MD5 | 9d355f89a89d7837a03716b1d45dc5cc |
| SHA1 | 6affa5368018a5ad1ab4a68c512ed8db527dd3b4 |
| SHA256 | 167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492 |
| SHA512 | 76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
| MD5 | 10adbd3c3de885e0383a97626a71af34 |
| SHA1 | 392329c20383249c3632dba0e42fc017a62bc081 |
| SHA256 | c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a |
| SHA512 | e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | ca4b7ed25edc7ac8f37184b28d3db11d |
| SHA1 | 2662dd46067cb5b9c8f724c8ee7c28ebcd5466b9 |
| SHA256 | 04b02cea6a48ac18bc2c5d96fdb8c25982e8f068e09d168c7135343441639133 |
| SHA512 | ed839dafef72df4658884c5f5b9d6ba127bd03b4e5fa5d4592af14f385db772d53ba66a6b06ef9d07a066bbcdc9dd214013d7615f8ef6e2bd1b1d821f8337163 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 5d0df2bfae6f292bf4f6bb4a021c4cee |
| SHA1 | db2a6d8692b80b28e1e8d8532bad19a167ca47a4 |
| SHA256 | 2371173980570edeede479d105433a4e41b7feb5ff1602b3eb31b31717e25a58 |
| SHA512 | 15cbe77b44bc3e6d015a06b9fc71a391fd7c11948f499cdad5313595298abf8da36d8ada60f7cea7719e7ba3b9d42ff78cd45d1554cf80abc0547463d8786fd2 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
| MD5 | c5ad1903526a9ca4c2f55cfea1e22778 |
| SHA1 | 9c7b9ba9100a919cad272fb85ff95c4cde45de9f |
| SHA256 | 5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334 |
| SHA512 | e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js
| MD5 | b4b4c703bf5c6c0b5e9c57f05012d234 |
| SHA1 | 929aee49e800e88b4b01f4a449fa86715d882e42 |
| SHA256 | 910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b |
| SHA512 | 2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm
| MD5 | 2b42be10ddde43a0b6c2e461beae293a |
| SHA1 | 53888c4798bc04fdfc5a266587b8dc1c4e0103f3 |
| SHA256 | 984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b |
| SHA512 | be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\dbghelp.dll
| MD5 | 56d017aef6a7c74cd136f2390b8ea6d3 |
| SHA1 | 46cc837c64abe4e757e66a24ece56e3f975e9ef6 |
| SHA256 | 900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920 |
| SHA512 | 7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
| MD5 | bf10e0c48251234d831ffcd8cca82344 |
| SHA1 | 955d9cfa4e8dccff444a1f1ef505ccd41a75cd22 |
| SHA256 | 1a96c89fd3eb51bfc46d36b3ab4f46f070c30e9aa5f2a16a5d3c2984ea71d617 |
| SHA512 | 15d76a106a1630ac193a9429c7da666bf29816500fab0b029405bf414810d1a3def3f55cb3f09a3aefeeb9be299045958d1c219e4d60eb2b1f3d53911d6464b2 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll
| MD5 | bd5884a7c9cc473a229b953154a52c52 |
| SHA1 | 28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da |
| SHA256 | d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb |
| SHA512 | 5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
| MD5 | 7680119f3de2925404ae2615898ac605 |
| SHA1 | 0b3f27db9fda31d2b525df17e139eff72b4a4c33 |
| SHA256 | fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727 |
| SHA512 | 06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg
| MD5 | e6c8b146640faf4ce794d6acef69ae92 |
| SHA1 | 7545235bc328a49b1304b8c6ee5663d43a53cf0f |
| SHA256 | cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba |
| SHA512 | f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 183330feb3b9701fec096dcbfd8e67e4 |
| SHA1 | 2f43379fefa868319a2baae7998cc62dc2fc201d |
| SHA256 | ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475 |
| SHA512 | 643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll
| MD5 | f250f6f6db34808e67bc3a603312f93d |
| SHA1 | 9de21d268b014fd8e042699372c48696b4e824f9 |
| SHA256 | d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc |
| SHA512 | ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
| MD5 | 701d583f23443f9687bb79e33c288ede |
| SHA1 | 977240c22ae1b715ab30d5e5d9217c70c88871a2 |
| SHA256 | 6ec5a068b22c329a990d22c0cb238f5192996256d33d1cf57dca472ba975842c |
| SHA512 | b2236abdd71fea5a03250669b10f4185add7aea5fb6fbe1f5035759be30a83d326ab5d136ecfae7da9e6ce43fb4d6b17a20a5b17e772f2e86b8deaa94df088e3 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5XmlKso.dll
| MD5 | 3e08e7ca30a665c5f0f9cf14e269f028 |
| SHA1 | dcc612f071c7c7349ee0240291ff8bbf4a8a0c46 |
| SHA256 | b658adc8782c0fb998b0535ba166f9aaa59e3cd193e1cfcce0e9b4c918f20834 |
| SHA512 | 0f6a81e079fbec8a52eabb1c1bd2dafa7d64194008d1c839988e70faef971f8be81bc48c8ea0f79db32a8b1fbce0270992ca3d15df3bea121260c168e41d5ee9 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\krt.dll
| MD5 | fd7ef27a8780754d160ee2f70780e62f |
| SHA1 | 41c463d3a38704a2e3b83d01e73f225f14c1e219 |
| SHA256 | bafb2c6e3b0dc17f9b487ec50904300e2d0b3db865471f0d9b0e2192ee8bd0cd |
| SHA512 | 2801e94578571d89f1191eaf4a53324134fff14ffa3835353a184a13eada6467884d7d5e2055628c167b52db3d4dd66b07e90d976607c45acbc916dd67a74851 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kbase.dll
| MD5 | d84cb177f4720bed63a55f8072e368eb |
| SHA1 | 82c2caad9184fb2adbfb6a278d082cc1eb7852f8 |
| SHA256 | 9995f580f41f86b12b63d4ab6075568f18de9f2a685fa7368d28d348648f578a |
| SHA512 | f385e1182ff0beee3d9051e3cdb4633279cadfd67cfc00ca47a056dc222c9ceeaab34d0b644abcae0b19d4bed81c45cfcd2c81a311b73ef21cd84021602faaf2 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kdownload.dll
| MD5 | abf5ef5de210be0fd2c2a55ee365919b |
| SHA1 | 6a9104f07a773bed0de1dc3c6774683acc293a87 |
| SHA256 | 064c79fb4d88701c466bb6fd61e1bcfc094b632e641c6e813bf07f699c39f292 |
| SHA512 | 4fa3004296878d0c12203306ab87f7600449bf2326d80bcde041d4b69ffd37d5d97e12214994501f5cb87eeb288d7936004e044c5200c2fc49db855e66448f5a |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcrypto-kso-1_1.dll
| MD5 | 40e03f699a98ce5b07529824c1a894d2 |
| SHA1 | 9e4e00a4fdcc0fab32d9aad86a125ce2c165bdf0 |
| SHA256 | fc99346063db1cfc3fc2504847e137aca5a425ff828056f51db858a985c687dc |
| SHA512 | 8b1824b5c4b059520cbb752e1deb790191ece775709285a0a3bd5fdf0d9181464a8f3337cccbbe95e27096fe88d326d03f0d5d19a65f67ecd132e5c69ea71b18 |
memory/4360-4364-0x000000006B9F0000-0x000000006C113000-memory.dmp
memory/4360-4363-0x000000006F270000-0x000000007099D000-memory.dmp
memory/4360-4375-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4374-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4373-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4372-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4371-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4370-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4369-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4368-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4394-0x000000006BB10000-0x000000006C233000-memory.dmp
memory/4360-4388-0x0000000003480000-0x0000000003497000-memory.dmp
memory/1204-4393-0x000000006DEF0000-0x000000006E8D7000-memory.dmp
memory/1204-4405-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4404-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4403-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4402-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4401-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4400-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4399-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4398-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4397-0x000000006B600000-0x000000006B610000-memory.dmp
memory/1204-4396-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4367-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4366-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4360-4365-0x000000006B610000-0x000000006B620000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libssl-kso-1_1.dll
| MD5 | 9a1e1d44af39f2b63ca7939041095b37 |
| SHA1 | 52f5ee389357b73c7d7c97399cb736070515e434 |
| SHA256 | 60930f7daaf4bb52768878e9f3a96f61bce17fb5d0e5a7468499e34eaa744c44 |
| SHA512 | 1d4a38fcccb72ae033929169c169303884d115f05b4f9c8643a3f1072ca6645a5c5d13a0f64fc2f646f17a314651de9ec96438a21d381711cf7630fd22cb759f |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kprometheus.dll
| MD5 | 86110ee28cdb72aed1ec60ade94aeb56 |
| SHA1 | 61457137d8748d477e2e7052c61d8c5b97dd2b70 |
| SHA256 | 9fdf3777efab5262b762097b7178542b506546ad6509006fea8cb90193f09b75 |
| SHA512 | 04700e2e0c6360f3c0ad33ff8e21b9843059d97d7a4ea2c7697fc2baaa613675278308d3687c6b729acffb7d8f7c14e5353f8ec81e7f1fcc5e2f87802b923917 |
memory/4360-4347-0x000000006E370000-0x000000006ED57000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksouil.dll
| MD5 | aaa222915e0c9c32406b8b963019f97b |
| SHA1 | 3e45dc1d0b2d1ad602644bf349b3463b0c0f8f70 |
| SHA256 | 32067809feb6de0de2c7885655595b9b4a830dfa0799f65e07d34355e30d8942 |
| SHA512 | 656e4f30727cfe790a0e8f1067a394a8d6c00d0f9911072dbfd22529fc433a45d7bb73cb76f744af22ca34c462a35ae4f2e5c2e8b36d349eaca85d311be42d0e |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data
| MD5 | da920134e389419ded63add1e42380b5 |
| SHA1 | 7d7758aa8d58812579abae5a14440213e224b40f |
| SHA256 | 07eb063ab0b88d2acc639d9af81c5b546f1e274f05828ed34fea7e284fca897d |
| SHA512 | c07e8d452a5fc91ccc1164543b532ccd14ded5e61c47e36714d59dd4c9094ec00e5dd38dca70c65cd1e70e514f1779b4d45222f8530629e889cf6e0bca7d0504 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kso.dll
| MD5 | a5ecce5a776b0bae9c2cea3a0e42bf91 |
| SHA1 | 9b0fcacd05b782d2d80dacde5b81c99ad3570935 |
| SHA256 | 1374472aeda7d1fd5cf6f48b1537e8718b7c965e7a57f540b5bce5153717450d |
| SHA512 | e5da33f771a063e8b8c30e5df54b2410b045b353c9a781b248346460cf4e9baf977b564d3f4ca4729e9ee67e6322b62ba5f85a9d334be567bfe2a67dd55fc8c2 |
memory/1204-4392-0x000000006E8E0000-0x000000007000D000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\libcurl.dll
| MD5 | ee36a69232c862b84bbab1b5b60817a6 |
| SHA1 | 760e9635292bf68f5a2fd692395c9fb2f8372ad4 |
| SHA256 | 94101330974312d8f11c747abf423c44fb722434d29d2b3afe324f80a7ec6601 |
| SHA512 | 205858c1e7afe64156b17cb7c6bb261f29cc65cbe43546f41dfd9679d8113462314746324631d0ef36057170b7bb6ab32160509bdded62d42af851a57a966d8c |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kshell.dll
| MD5 | 8603a85045dee666f1d6005d9a2971e5 |
| SHA1 | 1b4ed0a58d4fd64a6053ad5182bbae332eadde9d |
| SHA256 | ca738344b0b9655203e3135c57edd7505d293833def2ca888ac0726993d1d25a |
| SHA512 | 4d10a004e67b24a6ff5293e582b1870014105b06e0e6bf6b26b90676e9e8007213c409dddb3fa913e214e57429d7a101a20ecdbf957bdd971ede7a90058eb34c |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksolite.dll
| MD5 | 9792e7046e96eef015b554282242434a |
| SHA1 | 87205b343319d7e65a532bc3f696c5719b3d7161 |
| SHA256 | 5e591faf4e4b59126e975472a63452b7c680b7c0cfff3467165140781b3eae39 |
| SHA512 | 18bbb08d0e2fdc2d7c0c79d454cf97c6d1fc74ac31906b4dc46cec497d8a130a48810feb87148e61147c72be6a6c9bff919b8907ffc2cb4db53011f7f4b14d45 |
memory/4884-4428-0x000000006BB10000-0x000000006C233000-memory.dmp
memory/1204-4430-0x00000000037C0000-0x00000000037D7000-memory.dmp
memory/4884-4425-0x000000006E8E0000-0x000000007000D000-memory.dmp
memory/4884-4426-0x000000006DEF0000-0x000000006E8D7000-memory.dmp
memory/4884-4440-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4439-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4438-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4437-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4436-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4435-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4434-0x000000006B600000-0x000000006B610000-memory.dmp
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscloudsvr.exe
| MD5 | 93319d7add53c7c8c364012d5b61f3c6 |
| SHA1 | b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39 |
| SHA256 | 9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66 |
| SHA512 | f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361 |
memory/4884-4433-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4432-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4431-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4475-0x000000006BB10000-0x000000006C233000-memory.dmp
memory/4512-4474-0x000000006DEF0000-0x000000006E8D7000-memory.dmp
memory/4512-4473-0x000000006E8E0000-0x000000007000D000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_10_31.log
| MD5 | 0d54b285d5f6b0584371fcff864c1846 |
| SHA1 | 9314be4d7dab10ed8d6371ee175d4d64ad289d84 |
| SHA256 | 83c2d91af00e49c871a059493fbf3dde3f1315927fd0b813d0f743e336c853d5 |
| SHA512 | 461078f448b8c5b4706ac1a0d6942f6b52b13be46cb0a268d6aba1fe135e83233afc454382a1d048609549f84548e0a52f1a45f84e32226fe45f21e56c1aab75 |
memory/4512-4495-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4494-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4493-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4492-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4491-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4490-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4489-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4488-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4487-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4512-4486-0x000000006B600000-0x000000006B610000-memory.dmp
memory/4884-4501-0x0000000000B30000-0x0000000000B47000-memory.dmp
memory/4512-4511-0x0000000001870000-0x0000000001887000-memory.dmp
memory/2896-4516-0x000000006BB10000-0x000000006C233000-memory.dmp
memory/2896-4520-0x000000006B600000-0x000000006B610000-memory.dmp
memory/2896-4518-0x000000006DEF0000-0x000000006E8D7000-memory.dmp
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2
| MD5 | 65b67efc9a8edbe9063b115eae2f571b |
| SHA1 | fef4a93cef3f2a7a1276ead749790329c528ddcd |
| SHA256 | 686a924eda07e08a5193ce254df47a7d610ff1522fd93f8c8d06eeecab5b6d21 |
| SHA512 | 0a7f651eb40757c1c32a4a8d4bd70a0dddb65e4c83d2ffa2d7d74eb315b8292d418a0e91a4f5044fee54c2f8749f5915dfd6853c1ed748332a4e2cef524ff115 |
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
| MD5 | 51c7e50b04a3e400e232c6c2b302f009 |
| SHA1 | 0ec530ef3dfe3e82cadff0e749dfe9c7c30798c8 |
| SHA256 | ebf1df09945c286be60b6aed18a1d009dcb953cf302af926f2c86aa66996071c |
| SHA512 | 3e80c169ca3459d9f5166d0ad9d88624b54bed7b2d578038c5c532207727ef72da05b7f2ee91396b8f7e2ef1a41c0d7ab6330a39f5c365663e750d8c377e90f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4B6FAD4JNBSWVJBYOD3P.temp
| MD5 | 3e4b62812d35ce058e85368d6a33c6d1 |
| SHA1 | 024ff6359220d53290c3b12a001426b60cb72f96 |
| SHA256 | 4c33d585e2998975a7649d6e307177479228f441a232ec343fadd7a949ba2d86 |
| SHA512 | c10242ef31b856fcf6a3bedf89666adbc87933d0795eb459412e21039ee901b94f3acd82befdbbe024779fdb6b91c8ab5099fc42d02d0d2e49779651965f16fe |
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat
| MD5 | e93de07d62bf1612c69eeeb726e57dee |
| SHA1 | 208068708906987d2b5673148be0f303e02e00d7 |
| SHA256 | d2b60750d7c871811df21830ac8857f97bdbd40c20387242633322d70b69d836 |
| SHA512 | 7ce52c7f49c853ff556b27ca662ba79a344aa75e0d133fa4ba3cdd2fd22c7dfbd3e90faa71f5bce8f838efd13b2fe97a36fb6c8590812f3227d91846aaca9961 |
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_10_31.log
| MD5 | 02d85dc0a7b26e959d1f57bf32099847 |
| SHA1 | fa4a17ab075e7422bde3140db13907ba83aa0aa1 |
| SHA256 | b269b0783dd205f8dfe364556ed22cc51810d6645829609e735c194ef1b58bc9 |
| SHA512 | e4e81fa504925bfe02ef69253772598490b3b22e0f2f33d44924e8d75f8928b8d681033ff8bf32b32fcb96fbc36ba7cb0133152d9f6fb11fc7204bcbc5f1b9f6 |
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini
| MD5 | 6baf4b256faf310dc9c3d4aeab8081f8 |
| SHA1 | 06c1e6b0149e18c0c2b3c5ebbd8e425a6f3b9655 |
| SHA256 | c37555d67ea1906a283b2c269c327846e35afe221a58927f4abfae38e2ab9301 |
| SHA512 | eb45906b93ef894d389b8e09a60ad95156d4ba6d5f4c84024171882dc74707b1145bd35d178bf87db664e21fdcfe4b8213336e2051c8b64bfc0d8382be3b4edd |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 3dfb82541979a23a9deb5fd4dcfb6b22 |
| SHA1 | 5da1d02b764917b38fdc34f4b41fb9a599105dd9 |
| SHA256 | 0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb |
| SHA512 | f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
| MD5 | d0b6a2caec62f5477e4e36b991563041 |
| SHA1 | 8396e1e02dace6ae4dde33b3e432a3581bc38f5d |
| SHA256 | fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf |
| SHA512 | 69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm
| MD5 | 1a59aa4f478d8725dcf575f481946c69 |
| SHA1 | 651aa42b7fbb7bcda13a903bfaef7c6b6046a24d |
| SHA256 | 52a390608b1d0dcfb2931d61a334f103aabdf3ea7651b52c96aca40fd1c1fc0b |
| SHA512 | 1afeeba858d0a46daa43fc52dcce711d510268f839d91152f8b7aae0c4e69652b8066ffdafde2bd4a430bf75446471bc730ce1e6d42ca04c990091f68dc1ea77 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\gdiplus.dll
| MD5 | 31b9fc652711265760068b421aaabd52 |
| SHA1 | ac6e6b4f16b706083f74d2294ea7fdc631ee8b0d |
| SHA256 | 66732f097fe39d370410d85aec9a86f373638e7cac46473da799e9e666fc6c8b |
| SHA512 | 58d8a4bfc8d60882e84a4c8270645623d2256c4a354d1db22791c2e98c3ada2a90bdb576f7ecdb0df5c420b13aa51ce6e728f24b941846e27de101b59e563cee |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\extensibility.dll
| MD5 | c6133749ba22cf955b526d9bb3911f09 |
| SHA1 | dc61798a22b3e6a9dfc66782a1020107eac0a9b5 |
| SHA256 | 39e9af87ed0eae0fa0c520088d7edc3e1edd3889f109ef1220467ffa0e425e36 |
| SHA512 | b17b0e23e0dd52e6ac778f27916367199290fe7e25e6e2b444491e39a65b5dc3906d87037c1e6c73c35e6fd9e6302f5346a35fd2f280f4b8f31683ab46ab95bf |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\concrt140.dll
| MD5 | 4cc02ba9d10b18be0a02e3555aa78a98 |
| SHA1 | d1f63d5aa58b0b7ea1925dd3447861b3faf8cd8e |
| SHA256 | 1cddacbfb0c61652fcd543fef1e72cf649e27f3ee8f0d1c0d3988c0b5093e74e |
| SHA512 | 9d345573ec7a55aa06414cdd5b23e9085d016f4e9eec10581f93109c12e51603f39b01ce5539f8b1d16086e92b94baba05ebe45e9556c96a6b439c97cb82dc3e |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f364190706414020c02cf4d531e0229d |
| SHA1 | 5899230b0d7ad96121c3be0df99235ddd8a47dc6 |
| SHA256 | a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2 |
| SHA512 | a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5765103e1f5412c43295bd752ccaea03 |
| SHA1 | 6913bf1624599e55680a0292e22c89cab559db81 |
| SHA256 | 8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4 |
| SHA512 | 5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 4f06da894ea013a5e18b8b84a9836d5a |
| SHA1 | 40cf36e07b738aa8bba58bc5587643326ff412a9 |
| SHA256 | 876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732 |
| SHA512 | 1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 108433c271995786a8289afd611ea28c |
| SHA1 | ba58c577311e39ff7e92a6be0dd6b80abfee6edc |
| SHA256 | 4c058e5b8f83ce395a7004d8c4043735526de01c5764242d4ce4f683dcf1425c |
| SHA512 | 800bd7a8702905fd9be83f17087440228f1428237d202160a5618aa6cfe1d1aad3c2608f324db38d235348bd2c8682f55d8ff52d13f9c37fa7c32d64a967db77 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 1f72bfe2fb7bb2a403efda6ee963d259 |
| SHA1 | bcfb984771542970488bd6132dfa2746267b7fbc |
| SHA256 | 601ccd84d252fc6e024b1319902e48cf98bb922bf7799384a85640d5ce6f4a16 |
| SHA512 | e47c4c7a939d8e1022b6ce41ca15b1e3e4028f3bb302d1836bbdb3ec8d0c0141dd79ff147e6dc7fe56e09ab65dd15385362ea190d8792173674660a33acd5d61 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | cce453c53f6dac9496bfa5415cc92731 |
| SHA1 | 18fee669be0aa8a1839a75a167980f3f246c93a4 |
| SHA256 | 50752719a62627e7a8d2c26970fe59af839692d060c009fd0652325362752659 |
| SHA512 | 2cfe07c602c2e6205a2a2aa0de4ca8e105c9973d14b9d131a6372ba54697d17af7c84c898329425a3d19fd6c1434bcaf162ca0dbc5f0d20cb5973c63aee6b23a |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 461d5af3277efb5f000b9df826581b80 |
| SHA1 | 935b00c88c2065f98746e2b4353d4369216f1812 |
| SHA256 | f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf |
| SHA512 | 229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 50b721a0c945abe3edca6bcee2a70c6c |
| SHA1 | f35b3157818d4a5af3486b5e2e70bb510ac05eff |
| SHA256 | db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d |
| SHA512 | ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a6a9dfb31be2510f6dbfedd476c6d15a |
| SHA1 | cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7 |
| SHA256 | 150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c |
| SHA512 | b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a1b6cebd3d7a8b25b9a9cbc18d03a00c |
| SHA1 | 5516de099c49e0e6d1224286c3dc9b4d7985e913 |
| SHA256 | 162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362 |
| SHA512 | a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0979785e3ef8137cdd47c797adcb96e3 |
| SHA1 | 4051c6eb37a4c0dba47b58301e63df76bff347dd |
| SHA256 | d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257 |
| SHA512 | e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 88f89d0f2bd5748ed1af75889e715e6a |
| SHA1 | 8ada489b9ff33530a3fb7161cc07b5b11dfb8909 |
| SHA256 | 02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc |
| SHA512 | 1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | a76584c4923b1be911d9ece4ea439116 |
| SHA1 | e025b0afc3b9a8046f83e5df718bac4ad05c9c2c |
| SHA256 | 3181c520d7ab831c8ff330afe15ad717a5a1ed85b5d91b50b838be1e5c96d052 |
| SHA512 | 9e701066b81979318f41ac54ef4e1faf7a5e4cfa7482e61a60717fde10bba0851bf86f446f53a8bb26a1df95405cba0969648435fff3368bf9c2fec9ffc333be |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\API-MS-Win-core-xstate-l2-1-0.dll
| MD5 | b74d06f62cd28683b35052715273f70f |
| SHA1 | 28f0ff95c64faa31eafdc4e5e95cd7dbeb54ca22 |
| SHA256 | 144eb756de343fcb063034e9708cded52fe7f83ac3c94244a8de9baf95fe954a |
| SHA512 | fd20a4342d365396c950b7a1c1b9672b4151fc1097af3abff6af9e0723f8bfb0628ac8cf3cdbae466fcb78ad5520ce5ef7a76d76a86f889dfa98b9a4d2fc032d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-util-l1-1-0.dll
| MD5 | e0727785f827d39eb167749227a316ed |
| SHA1 | c063a309aeff016f0a7d728c44fe169ce6da12c5 |
| SHA256 | e4e4e55abf599d1a9ef7b95da0d7fd37f23a6cf1d368a77f88390eb2e0c1340d |
| SHA512 | 83c2bc0f3049b619bf39a8cd6b5fa1ee1346ada2075e7495f264360a62f6fe7ddaafb382b60dfc18857c981c584c750a0b07c1d5d81410a80c296fa1b276ad0b |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 86421619dad87870e5f3cc0beb1f7963 |
| SHA1 | 2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2 |
| SHA256 | 64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab |
| SHA512 | dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | d4359815e2a7f10b4dd3ec3945eed45a |
| SHA1 | 4c83bd868c963c3afa29d92f75d185ad612c9b11 |
| SHA256 | 328dff5738e59b78e2951920efcc69e97548c8081f4714540b4e723443b8feb4 |
| SHA512 | 09ac1040e0a9edd8562c4b76430c82cc25ca94634a9c632803d8bc8eec6ac34d9ad5fb6509416bcd970accb6dce27730bcfeb1ce29d0920c84cc2daf5102d627 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-synch-l1-2-0.dll
| MD5 | eb6f7af7eed6aa9ab03495b62fd3563f |
| SHA1 | 5a60eebe67ed90f3171970f8339e1404ca1bb311 |
| SHA256 | 148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02 |
| SHA512 | a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 69e1eddc7cd991f9f5db2fc6fdb6f46e |
| SHA1 | 6e8a961767f5ac308d569fd57e84b56b145c6c53 |
| SHA256 | cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070 |
| SHA512 | 61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-string-l1-1-0.dll
| MD5 | 990cba52bd41c096c79778188dd63a15 |
| SHA1 | 4a902cf7e4500c736ab4830e762cc1e18bb224ec |
| SHA256 | 0c1cbbb4630d38632ed6a5bae9ba7e06fe19433f2a5bd548f3d73f315359d79e |
| SHA512 | 1ed847989d02ef2c57edbd4726d818ea4bd811a255873765dd6090b9f8b204dff3610e887979ff8016c9b40bdcd2eab39ed064bb0f5f4447a94d56ab24e5183e |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 83cad14da9e92a8baf84a9afe2c9a5b0 |
| SHA1 | 14c89f2ade657eb9249b95f9290fb4284908c9c6 |
| SHA256 | a45a7143971e7f8bbe4d5667927e3ba0fe5d0c025ef5d776ff8a5826341a99cf |
| SHA512 | a5e93d77555e65bff5d47b2d6e9f7668cc6353a815cb1b11eaa6910594d53a9a2a538b8fe6b89cc2589f0dee321215039c012637809fc513b39fb902c02fdb4d |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 1672a33674cbaf42b3eec20d52930bd9 |
| SHA1 | f6e3da76e7de8a0d5f2e254b080ba973c92ba817 |
| SHA256 | a99b485112b305623ec3c8ea0d4c9acfac0c5c66821d4a98cde7b43edb8b78fc |
| SHA512 | 7b405243d474706c192e3e3b67ff61412adf41ea3bbbdcd5281aab2e7bed01c0c83a09fe60c0a0274d176a3aeb54dc0406dd044e002b8a447503c6dceb34d237 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b5c8334a10b191031769d5de01df9459 |
| SHA1 | 83a8fcc777c7e8c42fa4c59ee627baf6cbed1969 |
| SHA256 | 6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d |
| SHA512 | 59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 45578c4fafc6d9d5ab6e78a07827c19e |
| SHA1 | 2fdf383c24a697a0cc29231dab4d0a77207a29f1 |
| SHA256 | 6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779 |
| SHA512 | 63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 0a34f6f91287218a1d451999957701b3 |
| SHA1 | 05727b747b29845e025d2efde0e43ee36927439e |
| SHA256 | ed755e302cc2a9f5d3cc38140a90697c6bb24965acc6cdaddb63e95c3d2cb9bd |
| SHA512 | 24d69f006cdfb91182e3cf9d917dad90353c5824cb19a00a9c4dc9feff0a279a32750a83774a5fe4f5e863386e23efb96a0b54a82c551f28822c6df410eebed8 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | d8873df4158c5d449f13fd32442f10f5 |
| SHA1 | 52c9bf4137e466124eab9aa639671795d05125f1 |
| SHA256 | 04532aed545a391a9e95d6103a816ec5d26df14af51f51dd0c649ddd57862e5c |
| SHA512 | e52876ca557755f50bdd3f9adf124a6a562798a725480238f747348c9f81539903f8a19eeb00a61e50f5fde6e7acc8e613b4ba94cc0d8facc2a91f98078997d3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-memory-l1-1-0.dll
| MD5 | ed6d551457d8a41b48bf017b79765e27 |
| SHA1 | fa1609389caea2192f37017a23ec66e0c7f21d65 |
| SHA256 | 7733252eb66a1f3ce0efc5c375fadd6fa20a596324658c72d4e707f67909a433 |
| SHA512 | a0fb6d1420c9a74266c368f246af06c173379c78f0ac6eb676aa95f5c41e9b12f52fc32ec79c89d1cf4ea67c0a8d092d0ca3caba651188598a52b1a2ff2f4c69 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 21519f4d5f1fea53532a0b152910ef8b |
| SHA1 | 7833ac2c20263c8be42f67151f9234eb8e4a5515 |
| SHA256 | 5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1 |
| SHA512 | 97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 57a0a074d52e17ce0fec69b4106bceb4 |
| SHA1 | f6fbe3fe91884d3aa19ce93156423da55bdd6ced |
| SHA256 | f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834 |
| SHA512 | 8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 2f68cbb35c4c8e66c7d1a8b6c2079700 |
| SHA1 | 2acb3bdfb7209323d586866e276e152d540d5ae3 |
| SHA256 | 96509b560bc604a30af26e08d6181d24dde1d51bf3654a12cd663a4ba1a11eac |
| SHA512 | d5886e85abb2b2b4dd0d632e56d7f056f58374b774769bc83dc84f734827fc87b91d85f609f6faae3e3c10703716b31d775ca7f5819a1f719a355a154a8cc1ec |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 8af9779906d36b71166a1e286c880d0d |
| SHA1 | deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3 |
| SHA256 | 2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247 |
| SHA512 | c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-handle-l1-1-0.dll
| MD5 | d65ef6902015757c4b5e2b550c233e1d |
| SHA1 | 8b3a44beceb81727071337a9c9e7d0f3b1370455 |
| SHA256 | 9f2c87a8f541fd2e563778208c51f1e1852d4874571b6c5218066c0d58f9539c |
| SHA512 | 01dc60cf2d8f902848a4234cb97b12329d813f836786407ee090083a9fa6750df7f6b4db6d3496a873fc352bba4edf109ea6d5811d124075d8f3d21008c96773 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
| MD5 | b181124928d8eb7b6caa0c2c759155cb |
| SHA1 | 1aadbbd43eff2df7bab51c6f3bda2eb2623b281a |
| SHA256 | 24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77 |
| SHA512 | 2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
| MD5 | cd3cec3d65ae62fdf044f720245f29c0 |
| SHA1 | c4643779a0f0f377323503f2db8d2e4d74c738ca |
| SHA256 | 676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141 |
| SHA512 | aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-file-l1-1-0.dll
| MD5 | 7f3c75a78482e1ea21cdd81055b3135f |
| SHA1 | e0fa94d72626531aa971c3f1385f03ded6bde6a0 |
| SHA256 | 50347ffd660720cb1f41691be2793d00b169c864f7260dba1966a8ce5c9da943 |
| SHA512 | 925ee75ea5261de55d50e0c72de891833e20975b06cf9a1712385c077fef4548639d629354969cc8d18bc7664b6b3e03ffd11d08965e2fc94b3a11d3de6cf839 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 801750157960c928af876c3ec8dd4651 |
| SHA1 | 1cb405eb7339ef121df51f5eba44e0b0177a76d3 |
| SHA256 | be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd |
| SHA512 | 70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-debug-l1-1-0.dll
| MD5 | d05f970cf2bdb0da0a1bf33cbc36b53d |
| SHA1 | 505b7e21e237d7f8c454bdfb37b19932ae6980d3 |
| SHA256 | 273516d86d92975ba14f0f85bdce5b81f75f8ba76e08e33575c67f34d7236775 |
| SHA512 | 62b843ea200fee7868482de417048458c304a218ccacf44b70e0026bafc5e37aec4e7ad2c93513cfdbaa06e5ced7a826fa4701d27d6fb9eb81f183335fa182d0 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 7435c7831c7b3b47e55701e5c6cca67a |
| SHA1 | 8e0fcc170f5d66beea796b38cd544a045375204b |
| SHA256 | 7ea1c2902a47fcd4a30180a4fe5ba5800fcad76b63da5ca4494e24954cea9bd3 |
| SHA512 | 453fde0df6bf8867dac38e1dd155300a4fb3ab88a20de3420f14ce2c05d890459b767671b23d21422c49ff1aebb9ea84b47bee0e2b2305a7af1314393de28267 |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll
| MD5 | c26d7d913fd245afc0f0d658595447dc |
| SHA1 | b5e00a0516b6c8c6f6a51ea40fae1beba3dd49ba |
| SHA256 | 73e4264dd66696163fbbf868729841f2e9b86f5a59912e64fb9718a8c889a7aa |
| SHA512 | f7e22751671ef8f5d9768cb96733377cd5f38cdf241503234f69c4c6ac9348416c1a7622d7008fc1323a8673359db9e0bef29a4fec7853c5b5fe0b94e294471a |
C:\Users\Admin\AppData\Local\Temp\wps\~e5816a0\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll
| MD5 | b951011ba021c374455e8d1e18af84d2 |
| SHA1 | 2d2e5e097ba5d92e6977cbb23afcc60b2e1d1c8c |
| SHA256 | 1c057286bdf0cb90f7dd1fecf5e8afbcff1e27f2a94612967c0634ae639ca43d |
| SHA512 | bc7007ea97647b53a62561c7eafdc292478e2d1dd9cad9f84a3641eba5a57184274fd992f08a18c7f9afa82d5c37a15b6058f147e88623d5d0f5b962931b3850 |