Analysis

  • max time kernel
    128s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 16:23

General

  • Target

    d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe

  • Size

    5.5MB

  • MD5

    8d76bb0011099f752d1df93ad3f697f2

  • SHA1

    467d3da8b2fa7ff0d2958d30c3345c109647e09d

  • SHA256

    d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772

  • SHA512

    1526f49a0b14ed46c0fc68781e71009121e6f9807a3c262d6fa50c69fb37f59a711c9ae383ed8f30ed14b60456aafc80bfac10fccf90ef6fc27d4191693ddc8d

  • SSDEEP

    98304:irI1lEAOYB6RJ2dqW8LZJc+ZQSAA4zJOi6f4s9w0dGzB/vr:RXGULEFrcPJzAxf4+FGVD

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 42 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe
    "C:\Users\Admin\AppData\Local\Temp\d19fe85036be98b74fff67bb43864b51c0e774085daac2fa09a3182acf08e772.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
      C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
        "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2688
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmtfont
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1100
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -setappcap
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2192
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assoepub -source=1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1348
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -registerqingshellext 1
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:776
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\html2pdf\html2pdf.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3068
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regmso2pdfplugins
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2596
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3032
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2652
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            5⤵
              PID:1088
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -regPreviewHandler
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:928
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -assopic_setup
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:844
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\\office6\ksomisc.exe" -defragment
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:1276
    • C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe
      "C:\Users\Admin\AppData\Local\Temp\wps_download\060656cfd1a6402a9035e6288b01ca4d-15_setup_XA_mui_Free.exe.500.2083.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F779D97 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f779aaa\
      1⤵
      • Writes to the Master Boot Record (MBR)
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setlng en_US
        2⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getonlineparam 00500.00002083 -forceperusermode
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:992
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -getabtest -forceperusermode
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:332
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setservers
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2476
      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -register
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:568
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kmso2pdfplugins64.dll"
            4⤵
              PID:688
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoword
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2516
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assoexcel
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1992
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -assopowerpnt
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1668
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -compatiblemso -source=1
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2644
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -checkcompatiblemso
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2444
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -saveas_mso
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3060
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -distsrc 00500.00002083
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1716
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -sendinstalldyn 5
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2160
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2596
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -externaltask create -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2000
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2868
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" CheckService
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1664
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18607/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=2868 /prv
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2176
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2872
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:952
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop pdf
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2400
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:584
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createCustomDestList
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:944
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2472
          • C:\Windows\system32\regsvr32.exe
            /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\kwpsmenushellext64.dll"
            3⤵
            • Modifies system executable filetype association
            PID:676
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -setup_assopdf -source=1
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1504
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" /from:setup
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2208
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2768
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpsupdate.exe" -createtask
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1708
          • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
            "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2936
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          PID:756
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -rebuildicon
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:2776
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          PID:2580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

        Filesize

        334B

        MD5

        2b42be10ddde43a0b6c2e461beae293a

        SHA1

        53888c4798bc04fdfc5a266587b8dc1c4e0103f3

        SHA256

        984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

        SHA512

        be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\pt_PT\history.js

        Filesize

        198KB

        MD5

        b4b4c703bf5c6c0b5e9c57f05012d234

        SHA1

        929aee49e800e88b4b01f4a449fa86715d882e42

        SHA256

        910eada285d4900ea8e36faf305f731cfb200b317ea866839f5f4864a9dfc09b

        SHA512

        2afa881ee2f47e97249904b506cf88d68a34c166d9dc0a603f68369e640336f2c0b424ecb7b23d4631a96e175b965478bfa4ebc0224b0410551e55ac4c8ad0ec

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

        Filesize

        408B

        MD5

        c97ed5a0f101f1095748fb3d2c3c982f

        SHA1

        ee28865fab11ee696b27fa0206860831b4ec27c3

        SHA256

        a721f509a48ccb73d46338b0cb065bf91420189f5776580076cf68f96f4d8840

        SHA512

        d780bc93cf2bf4ee96ccaab358b79c5d2e9726b587d17833ba6192a7ca674e2e4fde16de54b1ba6a17bb0462504ee691f24ead14984be6a69298c37d82613766

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\cfgs\setup.cfg

        Filesize

        434B

        MD5

        e6c8b146640faf4ce794d6acef69ae92

        SHA1

        7545235bc328a49b1304b8c6ee5663d43a53cf0f

        SHA256

        cc8027d21cf0750014fdcd5660349999c6a17db4d0449ba81ced2c04269ef6ba

        SHA512

        f13246c250235672fb76f1f41484e81865ede4de8f1a8d8476506b865d5a647a252f9a8fb7bd4c5561710f2f3a98291cbd22aee49c0025c77677774b32068853

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

        Filesize

        236KB

        MD5

        c5ad1903526a9ca4c2f55cfea1e22778

        SHA1

        9c7b9ba9100a919cad272fb85ff95c4cde45de9f

        SHA256

        5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

        SHA512

        e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\qt\plugins\platforms\qdirect2d.dll

        Filesize

        1.4MB

        MD5

        bd5884a7c9cc473a229b953154a52c52

        SHA1

        28bfe5cc3a0e162a1b3a4bd19896c2ccfe2846da

        SHA256

        d3a8df4594ccdf7d7c27cb06b7a04bc929675cf184193d9ef8a50cddf07978bb

        SHA512

        5c47db9249d6568d37f82410a7009a8a92c2f5b1509d7545b4d3ebb21d9d9718a3eb392c4a1ecbf4a4e0e594e0c593df2ac0589288d846c0a7e485b85902a0df

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\wpscenter.exe

        Filesize

        904KB

        MD5

        93319d7add53c7c8c364012d5b61f3c6

        SHA1

        b78f3c6e393b029a1596ad4c9671e2ec9c9a4f39

        SHA256

        9d053f657250bc0705d84644a3d05eb9d008f75a52d360b772140eea5e271c66

        SHA512

        f2b638483bc29c6a766041c434b79a574f34e1ddcd3cc2b5ac6bf4f970a74af919f531fd1868e0ac28dcc1eeb88646f9ee428d6f916a1beacf174e11e08f2361

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

        Filesize

        499B

        MD5

        183330feb3b9701fec096dcbfd8e67e4

        SHA1

        2f43379fefa868319a2baae7998cc62dc2fc201d

        SHA256

        ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

        SHA512

        643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\utility\install.ini

        Filesize

        558B

        MD5

        6baf4b256faf310dc9c3d4aeab8081f8

        SHA1

        06c1e6b0149e18c0c2b3c5ebbd8e425a6f3b9655

        SHA256

        c37555d67ea1906a283b2c269c327846e35afe221a58927f4abfae38e2ab9301

        SHA512

        eb45906b93ef894d389b8e09a60ad95156d4ba6d5f4c84024171882dc74707b1145bd35d178bf87db664e21fdcfe4b8213336e2051c8b64bfc0d8382be3b4edd

      • C:\Users\Admin\AppData\Local\Temp\Cab3F05.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

        Filesize

        2KB

        MD5

        45ffcce210fb1e27b5089761b3ddd9e8

        SHA1

        2282a522f96c86ac2a432efbbc5825b7ed8db8c4

        SHA256

        ab449b13dfee053f0e1757747dceefa02b9721ce4dbf3dbce0ee295c324abae1

        SHA512

        0cb0f864d801f452697eb6afabfba9eb41ee898f26b19472dbe5e1273993d01873bd499bbcec42b41797db3fcdc0b048a80dadca00deee521dcb2a3f8e0161c4

      • C:\Users\Admin\AppData\Local\Temp\Tar3F27.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\product.dat

        Filesize

        121KB

        MD5

        2e743f3067fa75ff3bcad5baafafc8ea

        SHA1

        57ab56038ca28fcf2ce3e519a1e8f858c8bcaaff

        SHA256

        3927a21159fcd0049a376d60ed74449f3690d2ff95f432a3ba4b5738a478818f

        SHA512

        39fd24d86055788ad287e0b0a39625e6b10c85619e385cc521a7a6e4cdbe3a09becd19eecf8c491c9eff1fee3b6c70ff21e4a3f8142a01da8d8f7324840948f6

      • C:\Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\pt_BR\style.xml

        Filesize

        3KB

        MD5

        034f37e6536c1430d55f64168b7e9f05

        SHA1

        dd08c0ef0d086dfbe59797990a74dab14fc850e2

        SHA256

        183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

        SHA512

        0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

      • C:\Users\Admin\AppData\Local\tempinstall.ini

        Filesize

        387B

        MD5

        c38481658f9149eba0b9b8fcbcb16708

        SHA1

        f16a40af74c0a04a331f7833251e3958d033d4da

        SHA256

        d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

        SHA512

        8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

      • C:\Users\Admin\AppData\Local\tempinstall.ini

        Filesize

        433B

        MD5

        a9519168ca6299588edf9bd39c10828a

        SHA1

        9f0635e39d50d15af39f5e2c52ad240a428b5636

        SHA256

        9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

        SHA512

        0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JVZB6HM7CHA7LOUIFLZ1.temp

        Filesize

        8KB

        MD5

        f61a19da240dd9c67b06a0c384f8e393

        SHA1

        f03e8937bc8778452fbfaec6d5b69dbb8842f134

        SHA256

        afc9ad7fb129ee041e24e8368b09d1f290467d844e517faa49cc5dbc72372484

        SHA512

        8fd396ca25e8f6a3745fe17d3a031b70cd20c55bb1a55ea4010980e2e9200de132a0135da5a23fef285f10accad289f786d6e02f00437e55d946c6409666264f

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

        Filesize

        99KB

        MD5

        1b40250ccb89ca568feed0cce5c6e8a3

        SHA1

        dd5a97bc9681e012e1ed7979f3ecea43ca18f74e

        SHA256

        e84499e80398709501b955aac237abc3a2cc677bf0d594cdfe41d0dbc1480cd6

        SHA512

        1534e47c14ba53df760d30b9d8dfd67d0cec7988518d40455a2305718c1ed12c45014ba810e916ff478f3654f628a0edf3427ed9ae7296a4ad4e915812786453

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

        Filesize

        208B

        MD5

        859f33d9ce08e2f921c06ff0f3fab2fe

        SHA1

        cf74d45fe4ccf7ca2a6cb1a793e35030be70d459

        SHA256

        d3c8eb9c39ae4cece7ffb4a55f7b64a225b515169d3669ce263b5771a05fecd4

        SHA512

        4f4ca2a142e23cb33fc549f4a3c2ebe090f2847fd8e4e8fd3a1dbbb7f47ec9f5580ad61e994445a34dcbd40156d2bb7c6d461f42ee7756995f04b873a697ade7

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_11_01.log

        Filesize

        5KB

        MD5

        7dd9d0e7ce9cf5fe438922944f5c1f33

        SHA1

        c7b2d92f591f26cb20109db3ad0a926b8644706a

        SHA256

        cce6b00e986f2e1775fd6ec1f7dca31ed4f639338a77fd448735c8724a083c0c

        SHA512

        91ec1b43967d0f77726be7a9f0b9be93e81f7470b0bf23d3f8e60974efb24b2af5d170e6b2c99074b204b07a5d4635eb07aa636bde85476043c6eba8fe3eeb59

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        11KB

        MD5

        e9bc5eff8aa8a4e5b5ce9dce7a94a4de

        SHA1

        d33cb157c7e3164bc6d1567374b2f64389439c55

        SHA256

        05c2c250439d3b1dde7cdf722f7b441e244f21056061ef01b14441c75eba92ff

        SHA512

        9598528fc976ed9269a3723a628ac637f6f14e322ed7dafbea77ce6975d150b6bd8388db102e8b9fb02feaabe8677235d8140d1cb5a3e480ee421ac895be2ec6

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        14KB

        MD5

        45208868c25e9d1e85c2cd893d979328

        SHA1

        1c645a453d214dc253940eeb83abaed55373e1e4

        SHA256

        af956c25a615027f6b2b62498ba002f85db62cc23a129419de36326a8bec4c29

        SHA512

        e5c0e3dedfebe76b6921161e5e4353176e4bbc7c38527b9714b0817f46024c27b281fd119b9739b8453189b7b3dcda2a8f99845d981231c6ac6ba99456bb1510

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        30KB

        MD5

        e44a7b4e9c739161f8f9a63c28c77f4a

        SHA1

        bbf2f4d700e191574b4decabd3438bcd0d7f8498

        SHA256

        fdadc78ef526b14e9ed071f1017962957c938f9078c42548287a69cf47506262

        SHA512

        1fee80c1377979339b7644cc5863b0660464b15e4fbcb2db6a09ca48ac80bc26abb68c0c4ae28bf006e77e553e632fdd7f0bd95a0be11ed60cad8379a36de6e8

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        48KB

        MD5

        afb1b4aebf3b7c4225e1464d6fc2fb22

        SHA1

        d2a13a50a2cb2f4a845a420804f24ec51a734639

        SHA256

        a4428290940f9a90743f122b10056a1765a3aef9fd82819bce0cfc16576d3453

        SHA512

        63f6ffd1fd9a0a9d83e73c81eb05a37d71791c87e9d9be56981b8ad7d22479dd7349d4b853b0652f109d2e239d1d62ee93faca1ff1b6a87a43585d3fbd2a909d

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        49KB

        MD5

        770d8a682cd893ed91affd2dea534ebc

        SHA1

        3f64e1dd1970d90d648ee8b4b992e77758159f3f

        SHA256

        65a31d1a451263784a84d6e2e2449a5357b3ee5f7206b73e0b606b4d3d1ed8c4

        SHA512

        6c97eebc23f1e0906c53b61808482930126a69443f956db4924d340f188d7c0e0e652ff70df3df1dc9d651e53b4b96b003fe169c32f859564198b9e4636cc654

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

        Filesize

        58KB

        MD5

        1fa9fb32817deb0c6c6b6c1a16deaf3d

        SHA1

        55d80f0e56369cc34d78e6da89001f588b93c158

        SHA256

        7b55a61f380119ff3a579a9a19142a212a569daeeecac5bbd92494ee602a39cd

        SHA512

        9989fd0454643fea579d7dd9669ec1be240bd8cc39fc32b921ad5b0fd171e0baed20c93f7863df375a5541ab4899174326e89a24044de44da65161024ffa5678

      • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_01.log

        Filesize

        1KB

        MD5

        bf35f3b15868741f7224a46f464ce416

        SHA1

        af4a1b591fd9db8309e3f2bc62f98ac811e9dd06

        SHA256

        59c2ef752ed707ce46d7c2e5f755bbe99b6c223c9abd2bb2332bdbf97ba7cbd1

        SHA512

        ca4a592850ea058fb9fcdd2df398ee004eb438c739c1142b8b2c2ed94f33d42830d78067c3b068f9526595cad4c40b06bdda587c79a65aff0c3c3c1b4300fcee

      • \Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\Qt5NetworkKso.dll

        Filesize

        1.1MB

        MD5

        f250f6f6db34808e67bc3a603312f93d

        SHA1

        9de21d268b014fd8e042699372c48696b4e824f9

        SHA256

        d81d04cf294985d535a25d8d1797a3f65155b0b3cbc5095922cfe122354066bc

        SHA512

        ae354243032cb28fdbca69fdbffabb677e4a5f96e957b56377a1381605d8de1fccbaa8db183c375932aee9130fe8b0e5de9c581d4cf9cf3aee19b3e1f43d1839

      • \Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18607\office6\ksomisc.exe

        Filesize

        3.1MB

        MD5

        7680119f3de2925404ae2615898ac605

        SHA1

        0b3f27db9fda31d2b525df17e139eff72b4a4c33

        SHA256

        fa3220a10fe02de228a7b3ab809a0d6ab80f49d523d4b1d1cd1ac9edd11dc727

        SHA512

        06714dc58b3ad702871a026c1855b93c7c887c31f6794eb579574321a7fc6779265bab37234abe7d1ae9d3b4ad4934915ba4fc091e1af646f5af2542de48b2cc

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\Qt5CoreKso.dll

        Filesize

        5.0MB

        MD5

        7fc37c5552ada776f404d3679b9b0c4c

        SHA1

        9fba9ce4f16c935c5b8fbef62102cc7693b05f7c

        SHA256

        6f681003b8e6c880891e082ee68ae18e3efa8da2ecf1707145f9ae3e3d4100cf

        SHA512

        d2007abf0cc8c01eda7db4614ea5a05114ebdc39b5afbb0f20c5ab75c1f9a799a52a6e86cf7dc4a5a38132bd88d7692fece16ffcd36a895aa1c81f135fee134e

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\Qt5GuiKso.dll

        Filesize

        5.3MB

        MD5

        be1f6ac2ccea42961c970aec7c496922

        SHA1

        913e98b3d882bafd5d3ad33f06dccb33297c8668

        SHA256

        30079d48f5baed9d2bf588bc87a114bbb6fb27ea5ef47c2b5f70f06b85eab463

        SHA512

        d650a0f95be6314f2bfecdea66e529bce6ed379ddadff658f57fe650d457f1e3dced583cd5ff4d5e15735b0880200b5f1b50388b709d2019ed139e3c985285d4

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\Qt5SvgKso.dll

        Filesize

        392KB

        MD5

        70cee47ff4ea3ebf85f954fd9e827592

        SHA1

        4de5401139f3ac3fc6e633a5dc98c3c8ccfc8cc0

        SHA256

        dcce40b45fde63f7333d2bcce1a763f1e482652912e38e18207313d39ea3a422

        SHA512

        7c1bfe80f9ee1959c9f727e7ce0bcf29b0e65f490f7024cdd46f1a10d5d15be70d452857050c18993f881e066c9b34d0b0fda716ee89be0a36ebb98f37c70a5d

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\Qt5WidgetsKso.dll

        Filesize

        4.5MB

        MD5

        a7d93abf2841afe86a08230fb2fc14db

        SHA1

        5b8874f7922f42dae7a9214370aef691e51d837a

        SHA256

        98fd11afcad50d9ecf17f02b00947c73a88a3a8929c33bc7ee04f5a0da9dba2b

        SHA512

        508c1725a3040353fa910743bb7d7f60b2f89171aa15bd0e0b7929db324a4256e9c7f001ac35d972ec77dcc642da8a36740c1cfbd7e4a4b421e0452024585af9

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\Qt5WinExtrasKso.dll

        Filesize

        217KB

        MD5

        0e15f2a1c22a7d0147ab6df139797a62

        SHA1

        0f8207e8a1c1ff692a70c1668b2bafd566ba1718

        SHA256

        6740b78526c22f1e8ea26c90d5a93436f8f2081f5f6da1c7f0e877937635977f

        SHA512

        981946ea220caf0c237ad2b751aa0fd11a71cb7e1502dd74a3ffac1a6ae72981d8f8910b182a8cadc7404ccbb223b2c71a9bcdf00c01efe25f7aa8e1361f5d26

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

        Filesize

        11KB

        MD5

        cd3cec3d65ae62fdf044f720245f29c0

        SHA1

        c4643779a0f0f377323503f2db8d2e4d74c738ca

        SHA256

        676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

        SHA512

        aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

        Filesize

        10KB

        MD5

        b181124928d8eb7b6caa0c2c759155cb

        SHA1

        1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

        SHA256

        24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

        SHA512

        2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

        Filesize

        13KB

        MD5

        21519f4d5f1fea53532a0b152910ef8b

        SHA1

        7833ac2c20263c8be42f67151f9234eb8e4a5515

        SHA256

        5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

        SHA512

        97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

        Filesize

        11KB

        MD5

        b5c8334a10b191031769d5de01df9459

        SHA1

        83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

        SHA256

        6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

        SHA512

        59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

        Filesize

        11KB

        MD5

        86421619dad87870e5f3cc0beb1f7963

        SHA1

        2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

        SHA256

        64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

        SHA512

        dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

        Filesize

        14KB

        MD5

        88f89d0f2bd5748ed1af75889e715e6a

        SHA1

        8ada489b9ff33530a3fb7161cc07b5b11dfb8909

        SHA256

        02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

        SHA512

        1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

        Filesize

        11KB

        MD5

        0979785e3ef8137cdd47c797adcb96e3

        SHA1

        4051c6eb37a4c0dba47b58301e63df76bff347dd

        SHA256

        d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

        SHA512

        e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

        Filesize

        12KB

        MD5

        a1b6cebd3d7a8b25b9a9cbc18d03a00c

        SHA1

        5516de099c49e0e6d1224286c3dc9b4d7985e913

        SHA256

        162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

        SHA512

        a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

        Filesize

        11KB

        MD5

        a6a9dfb31be2510f6dbfedd476c6d15a

        SHA1

        cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

        SHA256

        150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

        SHA512

        b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

        Filesize

        11KB

        MD5

        50b721a0c945abe3edca6bcee2a70c6c

        SHA1

        f35b3157818d4a5af3486b5e2e70bb510ac05eff

        SHA256

        db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

        SHA512

        ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

        Filesize

        21KB

        MD5

        461d5af3277efb5f000b9df826581b80

        SHA1

        935b00c88c2065f98746e2b4353d4369216f1812

        SHA256

        f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

        SHA512

        229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

        Filesize

        15KB

        MD5

        4f06da894ea013a5e18b8b84a9836d5a

        SHA1

        40cf36e07b738aa8bba58bc5587643326ff412a9

        SHA256

        876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

        SHA512

        1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

        Filesize

        16KB

        MD5

        5765103e1f5412c43295bd752ccaea03

        SHA1

        6913bf1624599e55680a0292e22c89cab559db81

        SHA256

        8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

        SHA512

        5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

        Filesize

        17KB

        MD5

        f364190706414020c02cf4d531e0229d

        SHA1

        5899230b0d7ad96121c3be0df99235ddd8a47dc6

        SHA256

        a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

        SHA512

        a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

        Filesize

        13KB

        MD5

        d0b6a2caec62f5477e4e36b991563041

        SHA1

        8396e1e02dace6ae4dde33b3e432a3581bc38f5d

        SHA256

        fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

        SHA512

        69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

        Filesize

        11KB

        MD5

        3dfb82541979a23a9deb5fd4dcfb6b22

        SHA1

        5da1d02b764917b38fdc34f4b41fb9a599105dd9

        SHA256

        0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

        SHA512

        f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\kpacketui.dll

        Filesize

        2.9MB

        MD5

        fb20ae8ae8b82e53f8f234c1d0c186b7

        SHA1

        c03b74f6544715b0f25d23ece700eb663b2f86fc

        SHA256

        057dcefa9e5a21402308bf438eb081491699a468326e3c7890ca6c033e510503

        SHA512

        09a519e5be8fc15ce5c31e7341d254cb1164e42851c45a8c5ca17552aa78a242d9c52009e75953762858baa8999e5aeeda3388efbcd4d778bc67e2a268ae1429

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\msvcp140.dll

        Filesize

        427KB

        MD5

        db1e9807b717b91ac6df6262141bd99f

        SHA1

        f55b0a6b2142c210bbfeebf1bac78134acc383b2

        SHA256

        5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

        SHA512

        f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

        Filesize

        61KB

        MD5

        9d355f89a89d7837a03716b1d45dc5cc

        SHA1

        6affa5368018a5ad1ab4a68c512ed8db527dd3b4

        SHA256

        167c8e0ac2c160c1eaf140e985efa3a8f809e49049e03ba3b50809d6139ca492

        SHA512

        76009be1aca4aaf21ef0978d4cc3694a9ad50f1d4fabdcfb5313391aae3a5fc4ad4994f58ec77e54a879dd64c773417186f3f038f8cb7905a3607495c067a678

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

        Filesize

        41KB

        MD5

        10adbd3c3de885e0383a97626a71af34

        SHA1

        392329c20383249c3632dba0e42fc017a62bc081

        SHA256

        c95bd95f1505e53eef32cf4581d20bc3c48621b1ccf876ee4bf7297f6581e58a

        SHA512

        e10cca89f19021a7d3b91090d3878b89b550e6587f9c255f67cfe19b171f438a23473cfaf20b4026c060b420fb7d812dcf4783864a124ce55c9b8d9676ad926b

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\qt\plugins\platforms\qwindows.dll

        Filesize

        1.3MB

        MD5

        bc21f4d77a75822b27c3d1a598e8e29e

        SHA1

        4ca0afce4ee376041058e3791c10c2309ca7eddc

        SHA256

        69af5d323506398ce6b7c1d7a776e7bc19aff52c3745865d4e8041f23deea668

        SHA512

        0de597f55ff5ec22b4783e3d607c4d5b3a9f8cb1ebaa2fbb24da37da31d5d99404e92b34af13487bcf802729960ff3dbbf26e409a2c27b8d31324e43ac51317a

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

        Filesize

        145KB

        MD5

        a8492f295b92be062e26542af4d516b7

        SHA1

        2fef9e287ab6eaad60c5711f5e294cf83844399d

        SHA256

        4c50353d5b4595c8702a069e4ffd9325c9c24999e95e4e68f09fe71fff0f6597

        SHA512

        5667d0c94e9725a5254b32fa5235795127e78da6879e24c7024783a84259579213c1d2629230eaf43eda5adeb760982675167218508db24613dbd28776e4bf9a

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\ucrtbase.dll

        Filesize

        1.1MB

        MD5

        2040cdcd779bbebad36d36035c675d99

        SHA1

        918bc19f55e656f6d6b1e4713604483eb997ea15

        SHA256

        2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

        SHA512

        83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

      • \Users\Admin\AppData\Local\Temp\wps\~f779aaa\CONTROL\office6\vcruntime140.dll

        Filesize

        75KB

        MD5

        8fdb26199d64ae926509f5606460f573

        SHA1

        7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

        SHA256

        f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

        SHA512

        f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

      • memory/332-4366-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4365-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4364-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4363-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4367-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4368-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4369-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/332-4361-0x0000000000690000-0x00000000006A7000-memory.dmp

        Filesize

        92KB

      • memory/332-4362-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4348-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4341-0x0000000000710000-0x0000000000727000-memory.dmp

        Filesize

        92KB

      • memory/992-4340-0x000000006DE30000-0x000000006DE40000-memory.dmp

        Filesize

        64KB

      • memory/992-4339-0x000000006F7D0000-0x0000000070EFD000-memory.dmp

        Filesize

        23.2MB

      • memory/992-4342-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4343-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4344-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4345-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4346-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4347-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/992-4349-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1100-4477-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/1100-4478-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/1100-4479-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/1100-4476-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/1100-4473-0x000000006CA00000-0x000000006CA10000-memory.dmp

        Filesize

        64KB

      • memory/1100-4474-0x0000000000520000-0x0000000000537000-memory.dmp

        Filesize

        92KB

      • memory/1100-4475-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/1348-4451-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4453-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4452-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4454-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4450-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4449-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4448-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4447-0x000000006DE20000-0x000000006DE30000-memory.dmp

        Filesize

        64KB

      • memory/1348-4446-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

      • memory/1348-4445-0x000000006DE30000-0x000000006DE40000-memory.dmp

        Filesize

        64KB

      • memory/2300-4316-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4315-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4314-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4313-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

      • memory/2300-4312-0x000000006CA00000-0x000000006CA10000-memory.dmp

        Filesize

        64KB

      • memory/2300-4317-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4318-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4319-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4320-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4321-0x000000006C9F0000-0x000000006CA00000-memory.dmp

        Filesize

        64KB

      • memory/2300-4311-0x000000006FC50000-0x000000007137D000-memory.dmp

        Filesize

        23.2MB

      • memory/2476-4419-0x000000006CA00000-0x000000006CA10000-memory.dmp

        Filesize

        64KB

      • memory/2676-198-0x00000000002A0000-0x00000000002A2000-memory.dmp

        Filesize

        8KB