dc39b5d48b629a51131dfd3422aecce052d7d661cd943bddd9994ae15ce2db40

Analysis

max time kernel
139s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps_lid.lid-u4Utp3nDzdeh.exe
Size

5.6MB
MD5

c5a5dd5767e25a5b21ccef63fcd9b6fb
SHA1

10fb2dc473f56694adb854cd206664ffb2ff1f28
SHA256

dc39b5d48b629a51131dfd3422aecce052d7d661cd943bddd9994ae15ce2db40
SHA512

89beb8994a9b05077296e6bae00d3f22728fe7773efc53f5dc6204658abdb35d8a743cd77b646046bb36e004a7cd1c25e32e8a34ae16aa5ad8d127df84f4f577
SSDEEP

98304:86pg+4qaSDRumxkEpMH1FkQmOnhTjqsaUODS4IeOsycwuv/guB/j:H5IS1FnpAvHZwiO2AOsRzgyj

Score

6^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe
File opened for modification	\??\PhysicalDrive0	wps_lid.lid-u4Utp3nDzdeh.exe
File opened for modification	\??\PhysicalDrive0	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wps_lid.lid-u4Utp3nDzdeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	ksomisc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	wpscenter.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe

Executes dropped EXE 64 IoCs

pid	Process
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
932	ksomisc.exe
1020	ksomisc.exe
1708	ksomisc.exe
2144	wpscloudsvr.exe
1440	ksomisc.exe
2384	ksomisc.exe
2068	ksomisc.exe
2728	ksomisc.exe
1184	ksomisc.exe
1840	ksomisc.exe
1988	ksomisc.exe
2380	ksomisc.exe
2572	ksomisc.exe
2908	ksomisc.exe
1812	ksomisc.exe
888	ksomisc.exe
1840	ksomisc.exe
2624	ksomisc.exe
1692	wps.exe
840	wps.exe
1992	wps.exe
320	ksomisc.exe
1256	ksomisc.exe
2676	ksomisc.exe
2528	ksomisc.exe
988	ksomisc.exe
2864	ksomisc.exe
2424	ksomisc.exe
2316	ksomisc.exe
1096	wpsupdate.exe
920	wpscloudsvr.exe
1652	wpsupdate.exe
2920	wpscloudsvr.exe
1608	ksomisc.exe
2840	ksomisc.exe
1924	ksomisc.exe
2612	ksomisc.exe
924	ksomisc.exe
1076	ksomisc.exe
2044	ksomisc.exe
604	ksolaunch.exe
1704	wps.exe
2352	wpscloudsvr.exe
1936	promecefpluginhost.exe
1268	promecefpluginhost.exe
1636	ksomisc.exe
2720	ksomisc.exe
1456	ksolaunch.exe
2180	wpscloudsvr.exe
1968	ksolaunch.exe
836	wpscloudsvr.exe
2640	wps.exe
888	wps.exe
612	wps.exe
2120	wps.exe
804	wps.exe
2128	promecefpluginhost.exe
1028	wpscenter.exe
2544	wps.exe
2684	wpscenter.exe
1836	promecefpluginhost.exe
3000	promecefpluginhost.exe

Loads dropped DLL 64 IoCs

pid	Process
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\lnkfile\ShellEx	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\lnkfile\ShellEx\ContextMenuHandlers\ kwpsshellext\ = "{28A80003-18FD-411D-B0A3-3C81F618E22B}"	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	promecefpluginhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	promecefpluginhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	promecefpluginhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	promecefpluginhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	promecefpluginhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromelauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	ksomisc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	ksomisc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	ksomisc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	ksomisc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-19	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-20	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\KWPS.SecDocument.9\shell\open\command	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{E4442A83-F623-459C-8E95-8BFB44DCF23A}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{00020A00-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00024441-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0914-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0389-0000-0000-C000-000000000046}\ = "MsoDebugOptions_UTManager"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\CLSID\{00020906-0000-4b30-A977-D214852036FF}\MiscStatus	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000244B2-0000-0000-C000-000000000046}\ = "ChartFormat"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000CDB0F-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{50BAE224-485B-41C0-9619-FCCBF83CC76F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{00024427-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{0002085E-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{55F88896-7708-11D1-ACEB-006008961DA5}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00020954-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{727B38C4-2E61-429C-B535-9C11E24217BA}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{0002443C-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000209A5-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{E2E8A400-0615-427D-ADCC-CAD39FFEBD42}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\Verb	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\ET.Addin	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DefaultIcon\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000C031D-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{56AFD330-440C-4F4C-A39C-ED306D084D5F}\ = "PlotArea"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{91493485-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000208B8-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{0002E16E-0000-0000-C000-000000000046}\ = "_CodeModule"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\WPS.PIC.crw	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0340-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000C0387-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00020A00-0001-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000244D1-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00020914-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{52CA3750-AAF7-4525-B401-F8BACC417C33}\TypeLib\Version = "1.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\KWPP.Presentation.12\shell\open	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{0002E16B-0000-0000-C000-000000000046}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000CD102-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{56AFD330-440C-4F4C-A39C-ED306D084D5F}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{BEA85A24-D7DA-4F3D-B58C-ED90FB01D615}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Applications\et.exe\shell	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{00024485-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00024455-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0373-0000-0000-C000-000000000046}\ = "WebComponentProperties"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000CD903-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{00020959-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.doc\ = "WPS.Doc.6"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C172C-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000244DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{0002445B-0000-0000-C000-000000000046}\ = "ErrorCheckingOptions"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\WPS.PIC.bmp\shell\open	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C1728-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{0002097B-0000-0000-C000-000000000046}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000244C7-0000-0000-C000-000000000046}\ = "Slicers"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{000208CD-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000208B0-0000-0000-C000-000000000046}\ = "DialogSheets"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C0399-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Interface\{000C03CC-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Wow6432Node\Interface\{DE63B5AC-CA4F-46FE-9184-A5719AB9ED5B}\ = "XMLChildNodeSuggestions"	ksomisc.exe

Modifies system certificate store 2 TTPs 49 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wpscenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wpscloudsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	ksomisc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wpscenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wps_lid.lid-u4Utp3nDzdeh.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wpscenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	wpscenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wps_lid.lid-u4Utp3nDzdeh.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wps_lid.lid-u4Utp3nDzdeh.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wpscloudsvr.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wps_lid.lid-u4Utp3nDzdeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wpsupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	wpscenter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wpscenter.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wpscenter.exe

Suspicious behavior: AddClipboardFormatListener 46 IoCs

pid	Process
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
932	ksomisc.exe
1020	ksomisc.exe
1708	ksomisc.exe
1440	ksomisc.exe
2384	ksomisc.exe
2068	ksomisc.exe
2728	ksomisc.exe
1184	ksomisc.exe
1840	ksomisc.exe
1988	ksomisc.exe
2380	ksomisc.exe
2572	ksomisc.exe
2908	ksomisc.exe
1812	ksomisc.exe
888	ksomisc.exe
1840	ksomisc.exe
2624	ksomisc.exe
320	ksomisc.exe
1256	ksomisc.exe
2676	ksomisc.exe
2528	ksomisc.exe
988	ksomisc.exe
2864	ksomisc.exe
2424	ksomisc.exe
2316	ksomisc.exe
1096	wpsupdate.exe
1652	wpsupdate.exe
1608	ksomisc.exe
2840	ksomisc.exe
1924	ksomisc.exe
2612	ksomisc.exe
924	ksomisc.exe
1076	ksomisc.exe
2044	ksomisc.exe
1704	wps.exe
2352	wpscloudsvr.exe
2720	ksomisc.exe
836	wpscloudsvr.exe
1636	ksomisc.exe
2180	wpscloudsvr.exe
1028	wpscenter.exe
2684	wpscenter.exe
3500	wpscenter.exe
3736	wpscenter.exe
3616	ksomisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	wps_lid.lid-u4Utp3nDzdeh.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
932	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
2144	wpscloudsvr.exe
1440	ksomisc.exe
1440	ksomisc.exe
1440	ksomisc.exe
1440	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2068	ksomisc.exe
2068	ksomisc.exe
2068	ksomisc.exe
2068	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
1704	wps.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Token: SeRestorePrivilege	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Token: SeRestorePrivilege	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Token: SeRestorePrivilege	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Token: SeRestorePrivilege	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
Token: SeDebugPrivilege	932	ksomisc.exe
Token: SeLockMemoryPrivilege	932	ksomisc.exe
Token: SeDebugPrivilege	1020	ksomisc.exe
Token: SeLockMemoryPrivilege	1020	ksomisc.exe
Token: SeDebugPrivilege	1708	ksomisc.exe
Token: SeLockMemoryPrivilege	1708	ksomisc.exe
Token: SeDebugPrivilege	1440	ksomisc.exe
Token: SeLockMemoryPrivilege	1440	ksomisc.exe
Token: SeDebugPrivilege	2384	ksomisc.exe
Token: SeLockMemoryPrivilege	2384	ksomisc.exe
Token: SeDebugPrivilege	2068	ksomisc.exe
Token: SeLockMemoryPrivilege	2068	ksomisc.exe
Token: SeDebugPrivilege	2728	ksomisc.exe
Token: SeLockMemoryPrivilege	2728	ksomisc.exe
Token: SeDebugPrivilege	1184	ksomisc.exe
Token: SeLockMemoryPrivilege	1184	ksomisc.exe
Token: SeDebugPrivilege	1840	ksomisc.exe
Token: SeLockMemoryPrivilege	1840	ksomisc.exe
Token: SeDebugPrivilege	1988	ksomisc.exe
Token: SeLockMemoryPrivilege	1988	ksomisc.exe
Token: SeDebugPrivilege	2380	ksomisc.exe
Token: SeLockMemoryPrivilege	2380	ksomisc.exe
Token: SeDebugPrivilege	2572	ksomisc.exe
Token: SeLockMemoryPrivilege	2572	ksomisc.exe
Token: SeDebugPrivilege	2908	ksomisc.exe
Token: SeLockMemoryPrivilege	2908	ksomisc.exe
Token: SeDebugPrivilege	1812	ksomisc.exe
Token: SeLockMemoryPrivilege	1812	ksomisc.exe
Token: SeDebugPrivilege	888	ksomisc.exe
Token: SeLockMemoryPrivilege	888	ksomisc.exe
Token: SeDebugPrivilege	1840	ksomisc.exe
Token: SeLockMemoryPrivilege	1840	ksomisc.exe
Token: SeDebugPrivilege	2624	ksomisc.exe
Token: SeLockMemoryPrivilege	2624	ksomisc.exe
Token: SeDebugPrivilege	320	ksomisc.exe
Token: SeLockMemoryPrivilege	320	ksomisc.exe
Token: SeDebugPrivilege	1256	ksomisc.exe
Token: SeLockMemoryPrivilege	1256	ksomisc.exe
Token: SeDebugPrivilege	2676	ksomisc.exe
Token: SeLockMemoryPrivilege	2676	ksomisc.exe
Token: SeDebugPrivilege	2528	ksomisc.exe
Token: SeLockMemoryPrivilege	2528	ksomisc.exe
Token: SeDebugPrivilege	988	ksomisc.exe
Token: SeLockMemoryPrivilege	988	ksomisc.exe
Token: SeDebugPrivilege	2864	ksomisc.exe
Token: SeLockMemoryPrivilege	2864	ksomisc.exe
Token: SeDebugPrivilege	2424	ksomisc.exe
Token: SeLockMemoryPrivilege	2424	ksomisc.exe
Token: SeDebugPrivilege	2316	ksomisc.exe
Token: SeLockMemoryPrivilege	2316	ksomisc.exe
Token: SeLockMemoryPrivilege	1096	wpsupdate.exe
Token: SeLockMemoryPrivilege	1652	wpsupdate.exe
Token: SeDebugPrivilege	1608	ksomisc.exe
Token: SeLockMemoryPrivilege	1608	ksomisc.exe
Token: SeDebugPrivilege	2840	ksomisc.exe
Token: SeLockMemoryPrivilege	2840	ksomisc.exe
Token: SeDebugPrivilege	1924	ksomisc.exe
Token: SeLockMemoryPrivilege	1924	ksomisc.exe
Token: SeDebugPrivilege	2612	ksomisc.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
2352	wpscloudsvr.exe
2352	wpscloudsvr.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe
1100	wps_lid.lid-u4Utp3nDzdeh.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2352	wpscloudsvr.exe
2352	wpscloudsvr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
932	ksomisc.exe
932	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1020	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
1708	ksomisc.exe
1440	ksomisc.exe
1440	ksomisc.exe
2384	ksomisc.exe
2384	ksomisc.exe
2068	ksomisc.exe
2068	ksomisc.exe
2728	ksomisc.exe
2728	ksomisc.exe
1184	ksomisc.exe
1184	ksomisc.exe
1840	ksomisc.exe
1840	ksomisc.exe
1988	ksomisc.exe
1988	ksomisc.exe
2380	ksomisc.exe
2380	ksomisc.exe
2572	ksomisc.exe
2572	ksomisc.exe
2908	ksomisc.exe
2908	ksomisc.exe
1812	ksomisc.exe
1812	ksomisc.exe
888	ksomisc.exe
888	ksomisc.exe
1840	ksomisc.exe
1840	ksomisc.exe
2624	ksomisc.exe
2624	ksomisc.exe
320	ksomisc.exe
320	ksomisc.exe
1256	ksomisc.exe
1256	ksomisc.exe
2676	ksomisc.exe
2676	ksomisc.exe
2528	ksomisc.exe
2528	ksomisc.exe
988	ksomisc.exe
988	ksomisc.exe
2864	ksomisc.exe
2864	ksomisc.exe
2424	ksomisc.exe
2424	ksomisc.exe
2316	ksomisc.exe
2316	ksomisc.exe
1096	wpsupdate.exe
1096	wpsupdate.exe
1652	wpsupdate.exe
1652	wpsupdate.exe
1608	ksomisc.exe
1608	ksomisc.exe
2840	ksomisc.exe
2840	ksomisc.exe
1924	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 1100 wrote to memory of 2684	1100	wps_lid.lid-u4Utp3nDzdeh.exe	30
PID 328 wrote to memory of 932	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	32
PID 328 wrote to memory of 932	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	32
PID 328 wrote to memory of 932	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	32
PID 328 wrote to memory of 932	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	32
PID 328 wrote to memory of 1020	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	34
PID 328 wrote to memory of 1020	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	34
PID 328 wrote to memory of 1020	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	34
PID 328 wrote to memory of 1020	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	34
PID 328 wrote to memory of 1708	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	35
PID 328 wrote to memory of 1708	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	35
PID 328 wrote to memory of 1708	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	35
PID 328 wrote to memory of 1708	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	35
PID 2684 wrote to memory of 2144	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	36
PID 2684 wrote to memory of 2144	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	36
PID 2684 wrote to memory of 2144	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	36
PID 2684 wrote to memory of 2144	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	36
PID 328 wrote to memory of 1440	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	37
PID 328 wrote to memory of 1440	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	37
PID 328 wrote to memory of 1440	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	37
PID 328 wrote to memory of 1440	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	37
PID 328 wrote to memory of 2384	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	38
PID 328 wrote to memory of 2384	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	38
PID 328 wrote to memory of 2384	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	38
PID 328 wrote to memory of 2384	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	38
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2564	2384	ksomisc.exe	39
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2384 wrote to memory of 2692	2384	ksomisc.exe	40
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2692 wrote to memory of 2568	2692	regsvr32.exe	41
PID 2684 wrote to memory of 2068	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	42
PID 2684 wrote to memory of 2068	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	42
PID 2684 wrote to memory of 2068	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	42
PID 2684 wrote to memory of 2068	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	42
PID 2684 wrote to memory of 2728	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	43
PID 2684 wrote to memory of 2728	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	43
PID 2684 wrote to memory of 2728	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	43
PID 2684 wrote to memory of 2728	2684	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	43
PID 328 wrote to memory of 1184	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	44
PID 328 wrote to memory of 1184	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	44
PID 328 wrote to memory of 1184	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	44
PID 328 wrote to memory of 1184	328	77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe	44

C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-u4Utp3nDzdeh.exe
"C:\Users\Admin\AppData\Local\Temp\wps_lid.lid-u4Utp3nDzdeh.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\wps_download\77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
  C:\Users\Admin\AppData\Local\Temp\wps_download\77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -regmtfont
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2068
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\\office6\ksomisc.exe" -setappcap
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\\office6\ksomisc.exe" -assoepub -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2424
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\\office6\ksomisc.exe" -registerqingshellext 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\addons\html2pdf\html2pdf.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -regmso2pdfplugins
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1608
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins64.dll"
        5⤵
        
        PID:2624
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -regPreviewHandler
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\\office6\ksomisc.exe" -assopic_setup
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1924
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\\office6\ksomisc.exe" -defragment
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:2044
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /prometheus /download_lang_on_start /lang=en_US /from=get_start_with_wps_after_install_onlinesetup
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:604
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=get_start_with_wps_after_install_onlinesetup
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1704
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2352
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -getonlineparam -forceperusermode
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:1636
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -getabtest -forceperusermode
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2180
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:836
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe" Run /InstanceId=messagepushcenter -Entry=DoWakeup C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kmessagepushcenter_1.0.2024.12/kmessagepushcenter.dll
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: AddClipboardFormatListener
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe" Run /InstanceId=wpsbubble -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kwpsbubble_1.0.2024.61/kwpsbubble_xa.dll
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
        
        "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=1168 --field-trial-handle=1336,i,13011231611124032076,7920547691329137905,131072 --disable-features=TSFImeSupport /prefetch:2
        6⤵
        Executes dropped EXE
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
        
        "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=1560 --field-trial-handle=1336,i,13011231611124032076,7920547691329137905,131072 --disable-features=TSFImeSupport /prefetch:8
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2684 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1844 --field-trial-handle=1336,i,13011231611124032076,7920547691329137905,131072 --disable-features=TSFImeSupport /prefetch:1
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
        
        "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=1444 --field-trial-handle=1336,i,13011231611124032076,7920547691329137905,131072 --disable-features=TSFImeSupport /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.190/kdocreminder.dll
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:3736
    - - C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.67\chromelauncher.exe
        
        C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.67\chromelauncher.exe install
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe" Run -User=Admin "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -regpdfwspv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
      "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=2224 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1936
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
      "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=2644 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:8
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1268
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2960 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3112 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:612
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3160 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:804
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2120
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\promecefpluginhost.exe
      "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --mojo-platform-channel-handle=2224 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4xODkxMVxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=1704 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\debug.log" --js-flags=--expose-gc --disable-gpu-compositing --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3740 --field-trial-handle=2340,i,5708536561162953875,11180441676234687795,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2544
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe" Run -Entry=EntryPoint C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386/kdocreminder_1.1.2021.190/kdocreminder.dll
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: AddClipboardFormatListener
      PID:3500

C:\Users\Admin\AppData\Local\Temp\wps_download\77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe
"C:\Users\Admin\AppData\Local\Temp\wps_download\77fb58816aa60e53d94eff396fedfaa1-16_setup_XA_mui_Free.exe.601.1123.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -notautostartwps="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_F777511 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~f777178\
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -setlng en_US
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:932
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -getonlineparam 00601.00001123 -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1020
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -getabtest -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1708
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -setservers
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -register
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins.dll"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kmso2pdfplugins64.dll"
      4⤵
      PID:2568
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -assoword
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1184
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -assoexcel
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -assopowerpnt
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -compatiblemso -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2380
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -checkcompatiblemso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -saveas_mso
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -distsrc 00601.00001123
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -sendinstalldyn 5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -externaltask create -forceperusermode
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2624
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe" CheckService
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:840
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.18911/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=1692 /prv
      4⤵
      Executes dropped EXE
      PID:1992
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createsubmodulelink desktop pdf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createCustomDestList
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:988
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kwpsmenushellext64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1188
- - C:\Windows\system32\regsvr32.exe
    /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\kwpsmenushellext64.dll"
    3⤵
    - Modifies system executable filetype association
    PID:1288
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -setup_assopdf -source=1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpsupdate.exe" /from:setup
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1096
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpsupdate.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpsupdate.exe" -createtask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1652
- - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
    "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
    3⤵
    - Executes dropped EXE
    PID:2920
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -rebuildicon
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:924
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:1076

C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" LocalService
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3576
- C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe
  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe" -regpdfwspv
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:3616
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.51\pdfwspv.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51ac676fad8a3b835061458a0c6aa920

SHA1
0146500a52a12cc956ad6553f46a147c7cfe26fe

SHA256
05fd8ac165414ddf17ea79b89180154fe3ebfaa1532c80260875a3846027f409

SHA512
1a40c48d3869051d923c182b26d1ae4be8023ea70ccb0703ffdb1ec0aac2a5cf3c89cec7a3465f2a8606090ce2949bcc4d87da290d8f2089b71ee13ddee2de90

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\addons\kodfconverthelper_xa\mui\pt_BR\kodfconverthelper.qm

Filesize
334B

MD5
2b42be10ddde43a0b6c2e461beae293a

SHA1
53888c4798bc04fdfc5a266587b8dc1c4e0103f3

SHA256
984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

SHA512
be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\addons\kuserinfomenu\mui\default\html\run.ini

Filesize
171B

MD5
b30cb271e143eace0f55ea2e562e1e9f

SHA1
9d97dbf24931cfc114384c3f4dbbae21c9e51be5

SHA256
3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

SHA512
dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\history.js

Filesize
198KB

MD5
12435e50a498b3b7a712979da2365113

SHA1
79919439708db7084d41cf7e35970a0a84fa2d5c

SHA256
8a3d43e9e5f01c0c07207fb62e4ccc1a686c77d2c8c4be7f12a91678517cc807

SHA512
6dad7e007f677ef59e4230814278ef496adc74273aa69a29025c60ed2e3f9a6bcb7cbe769bd1e5ce2f1fb2d25072ff91bd8a75312912600fdb7ce14d22340977

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\cfgs\setup.cfg

Filesize
434B

MD5
3dfb44586455e369a34919665c39e882

SHA1
883fbd63d3d545dd19629d44cfe175dda22ff26b

SHA256
0b243f7fcccc9e2e698787756681158bd0bbfe12bd4d7c02d8f6f3d5b6036068

SHA512
dc5e732b5edd4edba2450f9552521cabcebe0d7a45023deac23ea6dee0c1d87bee557c0c89ebbea0a8ac4f1f3e7c73c1595ce56e8b0a916bd18fc8dc810372b2

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\ksomisc.exe

Filesize
3.1MB

MD5
af4a1fd1a513e63308bd9944d849bdde

SHA1
51b39531aee200509bca2fda6984a6743783602e

SHA256
b812b540ef1ccea9831725f88f1cca67224c03449bc2dddca4a30494f8a3f5b7

SHA512
582fb63d0f82bf0b77aa3bcf6eb43fde9568f297bf5e6aa866501ca7890a61d3afa9a3b714392c2c17119f0b71d17b1c0fd2486ee6a3060b9f596a45fd52773a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png

Filesize
236KB

MD5
c5ad1903526a9ca4c2f55cfea1e22778

SHA1
9c7b9ba9100a919cad272fb85ff95c4cde45de9f

SHA256
5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

SHA512
e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
96ea1487232fa561ced71d414e9de6bd

SHA1
9509e848cb104edca1dadcb1ba29c358cdc621cc

SHA256
3bb385ff6cd271d4241edc2ed55e1849611381dd1fc85c2046a8a9a98002e733

SHA512
8ce9067b75df1f13ed5c94e83aa3c747ffc8dcc556c22733432d11df8df17331937e9f78128c5af0e55f7a5a3f27fe496c7d02d0afae1f216f8bb9db3752926e

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\wpscenter.exe

Filesize
904KB

MD5
b8387d21b0e475d76ece6015119e78b6

SHA1
e01c18b12a6ba6b1106da6476e13aa1b127be75a

SHA256
c0daff288081064124dcfe65c75d6a67242f025a0421674cea3cc591115930b2

SHA512
69239776f2cf2d27e68a34a6e8dee339569dafb72a52f2d1015eed045563cf1ae9588ec0b4486bfc9079f8609dbf153d580a3eafbe6b9e9f10099fccad19b948

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\utility\install.ini

Filesize
499B

MD5
183330feb3b9701fec096dcbfd8e67e4

SHA1
2f43379fefa868319a2baae7998cc62dc2fc201d

SHA256
ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

SHA512
643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\utility\install.ini

Filesize
675B

MD5
b2f8eb7563658e7dc6195e49c4c4b44c

SHA1
8f302b12cb8d8a589c02d2a115e6a3df3d1d3536

SHA256
6ef45ee0a1dabb780e39b0d26226a8a318f2f450f977a6be6e07534d7b1a3d5f

SHA512
ef84f6a4e9a31c1f45926f289877e5f5a69d86f7964cf5d619586eee600074f9cba7900d267bc432d2a48f72aca485126700a9860226f52a7e51dbbc0e5486e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42CC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
b482fa1e7487e9f7cd8b16f22ff12506

SHA1
178afedb8c25b825443437f55c812d2e63c9135b

SHA256
1bf3e0d31192a409f8e4b1b442c4b7142659fafb479cf7d7e29ce2eb26ca684b

SHA512
6511fcec59338ef9d963e035a37134b053abb87544132f59333cacf3fdac7dfc4365f929a826474a3707e9a948647420338ca4c43eaf53165b203b25e21495fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar716E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
56d017aef6a7c74cd136f2390b8ea6d3

SHA1
46cc837c64abe4e757e66a24ece56e3f975e9ef6

SHA256
900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

SHA512
7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\kpacketui\mui\en_US\kpacketui.qm

Filesize
8KB

MD5
f52456f3e71a3c50b7f974279c276de9

SHA1
c37faf95f4e0a9cd203770b9d82103c538511384

SHA256
2925b8a77adbf7dde1d608f3eb52fa235490eabbd5d418c8899f37b03b1ea7e1

SHA512
07dc0fb69d66bc351391fcebb82d49a07e6f2d74df4fe84d45de63b5d6a86571be746ad6cc0195bc50d8e21869e2d7bd3509de549fade1416d6638a00e2b8d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll

Filesize
71KB

MD5
e33949e542502215fcc6424df0a2a055

SHA1
dcfb137c4e520395bc5ee970e7f607789116e2e7

SHA256
c7771c1f4b4d140d58173a5befa1f32af92f64875d70f6c6eed3d14048710491

SHA512
a3f47357c02d2c2a8be0ac2d7986d14b1386b186f62142c8a457211dc46538a82376194d18bd97990d8d7fe1c2c553b962fa13d704e309efd1a22e7b6ff4f980

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\pl_PL\style.xml

Filesize
3KB

MD5
034f37e6536c1430d55f64168b7e9f05

SHA1
dd08c0ef0d086dfbe59797990a74dab14fc850e2

SHA256
183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

SHA512
0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\product.dat

Filesize
126KB

MD5
a1c9a08df0d89e550a34148bacae06ea

SHA1
67232bd7c610597e0fda0096dacbca2d736ce25b

SHA256
7ee46410e003ba53744d1455f74f68c8867b3b7c6e56dc60eb148589ca44eb85

SHA512
9e545c6d79c0c4edb8d83d8bc8b160da175fbe1043f8d845b7c102c8139b39f70bf3cfa08a6943ac46a820babcd3ea925d59f377bad988d8fbe709878f8a29a0

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
387B

MD5
c38481658f9149eba0b9b8fcbcb16708

SHA1
f16a40af74c0a04a331f7833251e3958d033d4da

SHA256
d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

SHA512
8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
433B

MD5
a9519168ca6299588edf9bd39c10828a

SHA1
9f0635e39d50d15af39f5e2c52ad240a428b5636

SHA256
9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

SHA512
0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AEG4D1ELFO3UPNATFWMO.temp

Filesize
8KB

MD5
8355d85f7804c55005261a3599874966

SHA1
55179a947f90a0b2fa107cab87c75c654be1cfa5

SHA256
7c6cb84e8d57a7cd924383e6908a4211c4d8ed19c011f39fb784a7187ed951e7

SHA512
b9faa678e56a7209cb3265e855875a3e225b74449b16a2da9500a54e330995e3336cedc2b5b3e10ed5699b0188133693c2d50b379055f3dbe12f4dafa55b07eb

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\localconfig.data

Filesize
101KB

MD5
c548c9fb698b6cfc66ef3bcd292cf349

SHA1
2ca660a98b0b012aca4df4ff671a259fc184bdb8

SHA256
deb2a2dbb82888248265e501b92be07fd9c1d276c80b12f0ab4e11973b863fa5

SHA512
c027329d3d84b696c3b58e808fd8f714cb8814e066484da72da63190aece9c609c9c40097064af342b76ade25191879faae8d39c2ccbf055ef6150716571baba

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2

Filesize
208B

MD5
9d45ff47ed387cd5f21ee9b6e6eae4e4

SHA1
5b2ba2cd4bc98a45b9c6f8a864536e264f644b66

SHA256
5816c29c5a91ffbc0bc304d38db9ce03e5dcb4fb8d165b1349ccda652f8c24ae

SHA512
db1ee143934f4e867a67de192747b9d447d2da915e0f887e8c39aa3d7ebb8a882064cacddcbb1101be30af3d8661863467beaee4678e727acdb46520eed17052

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2024_11_19.log

Filesize
5KB

MD5
87073c30fcefb5cfce6a563e37579513

SHA1
4a805a7c40e0d504de68b69668c826d03888b501

SHA256
51690a65565132b56c34c5510d3c5d8f0aac0049267364e226db101d13814352

SHA512
04644c2e81c80f14a11de814a54b590eaecda45fe48ac73aa07c0e52b3d2aa4773a4ea0405887bc5db644fa6a8e244858a5c926ff196536ff76c3d14cd22eac8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
14KB

MD5
08d941608c3a8f1f79859317230379c8

SHA1
e79a52de92d77a4c3488519ae2b5d457aa07ce59

SHA256
1bd5b0d796e52899eb1d9bffffad7f3738d1be894b81882f45c3c7c51fcd9df8

SHA512
536be893a4c06ceef5c8538b1ae96072cdf384ac51a0d2696fc43326a31f924ecb9e3664e7908a5d380f1cf086809647609e15882572463bf67f25bd407f9231

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
14KB

MD5
7da8042137b750e4a01d06460c41d638

SHA1
0dad0b1ca0563516b19206465e7aa47d1069eed9

SHA256
4e1b422276b4bbefbe6a954546c81c42ffd95be6839470d8a375806fcefcfd8f

SHA512
45412d799d3c91a2fd49e5f17e5c253046531485b728e31e1a201f1dc269758b64da5c0f9c192099e29e15dee10db41ac038a75bde8d4378f6d6fa97d0828d32

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
31KB

MD5
4d4d8bc3d26e99c4731b12f409e9ea50

SHA1
5f062ca67fd442db79670804c765a3c27b10c1b4

SHA256
162120aacfa728a537d38fc6392f6138e3dfb6c1ed6321e5194c41e0e0a0eebb

SHA512
3f6cfb271f81f5e14405157ebf964fd321c6eaf4ad02ec4cf242f95e7543754f37ef8b5317f1638857e06617cf1c4983df90ccdc30e62d7e2e8145be4227da40

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
49KB

MD5
e9423f2d329f1ee16b25242597195669

SHA1
fe210f89c5b7a38a78ee6cebd170101b9c7fdaee

SHA256
9c5e5b1a56433b507393da702d090625017d0cd498756fbf3d1da29d6a9c3df5

SHA512
e4455f3f1143d8deb44505f9f70e44344561792d9af4397a613c43230c098536161958e6b8dc724a095e360f694c69e1514b10734587993d8d79f41872c40a00

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
59KB

MD5
273d5b95e649adf5b1ad9de86e0b6b26

SHA1
9493bc5e0bedc9e65c7aafaa9b75887de8aef16f

SHA256
a8f3022e1b908753a1868aa7a027d9c5f843814af7e67efaab3de46455ee8fb9

SHA512
f7292dadff57c2fc1a2552896ce95738a27fa54be1f81913c1e2988c7b9967a069773ddcd44258a9095e72a4b69bcfb74846ca50148be4c183f41ae4b00a60ab

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef\cache\wpsoffice\Local Storage\leveldb\CURRENT~RFf7867a9.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kweboperationtab\wpsoffice\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kweboperationtab\wpsoffice\Network\61def62e-5d74-402b-ac5d-0207a2fd24ee.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\promebrowser\cookie\Cache\Cache_Data\f_000006

Filesize
104KB

MD5
37dfd524890a310ddea434c71e49bd7a

SHA1
3009d8a56e6d7c8f69163de18fc5e25641152288

SHA256
e4c6142b1e36f89b0d0368a52c4542bae8688cc535aea13d65f3d0f303fa9a2a

SHA512
28bbfb84da9d1daf43435d41efd40a190bc7f5998d1ae1409129f473b80c160bf5f7f84e1c0498e1c979d2609fe0439a0ee2d3c120f6bec2d1d089242b2823fa

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\promebrowser\cookie\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9e46f5738996821ba17c69279d4fb72a

SHA1
3ca0e661b1ec059ce8a9285e5acfcba10edfe31d

SHA256
b176d0c36f9ddc796cacb3ae9b97ea6a1d6d74a9e56201e391b81b4cc61d0a89

SHA512
17676f1887b3bb367f9c816c54e67fca108e4b45f48d21c0f612152571c912a702c5bd2647422f5b6bdad2269faf8766f2e95f24a1dd658304729c70c9f1e8f4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\promebrowser\cookie\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\promebrowser\cookie\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\chromeguide\plugin.plg

Filesize
728B

MD5
266f5e7165bdc893f6d928ad939952a6

SHA1
d3d09ed43fbaab5fe5e83934a088eaa1ca5bf0ce

SHA256
36edaf6800e9839d7bd5cf429776b1f6fe8c78380ba4d78d509145e02c395b08

SHA512
919b8894b14c86bdf64ec224827ce83a817b5d191fbd72f8d6991c018c13881722786be371f1ebd3a09d686a1643802b147e2e51d30fdce4d0cdd8009af9b0bc

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\et\plugin.plg

Filesize
15KB

MD5
81364ca54bd89d4eb82f7829c4f709f4

SHA1
651e23b05da83934aa8c162b66da7f1dc70e0352

SHA256
3d22f4dc710db86e3b27b25d676ce4305c4df23f3642b10871e346858bdc879b

SHA512
2ee8d72052687e144b05ea48541f2258692240bed03a3691a40297c29d8bb979de5583225ee860cf63accf32365fbbf1153a54d573026c2a3ff93489490f8a48

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\kappframework\plugin.plg

Filesize
3KB

MD5
3a1499c4e1b3f83eda802451ad7b7270

SHA1
9905ba12cc68bfab316cf96cd4e34ac5ce66c410

SHA256
0425efb16d52dec5f25522db4d8e84de94d21e9c50eb3c1b480f320c25f907f4

SHA512
1c57280eee5d352e4c20f6eb11cd5f96f949ad4cd5e7b7bc52c4273bcea9219de0f54c47d66c773a8225f6ffe46ceb77fd07256a4b4e52c043c20380bcc991f5

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\pdf2word\plugin.plg

Filesize
744B

MD5
04a7efb2bdb11d9219eb296521bff388

SHA1
358d57411fa9cb81e1c34a263bb5068d484e3a48

SHA256
e85765442527f49f3db4dc38c665021e2e9f288f87ce1fb68e0fa52f1945aa7f

SHA512
668ea0960b32987e33a6a47b3b11c0332e8b5a903f2e3bf5e13670a0104315af7082dc791673632aaefd9edd9b8e748316052c55c3bf79fd7f890460e19fafdf

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\pdf\plugin.plg

Filesize
8KB

MD5
1eda84f2868ddd30ae6932f771d0fd3b

SHA1
2ca00f487c6c4601c5be75574fd04db83ef96b27

SHA256
299beee5e59741c35b18ef563eb3f2d450f8ad04e01099a2afe038a13726609b

SHA512
b21920c0ddaa0026cbc7736676042a52ba602febdaa58245318dfd0912b8f323475b405fe6c8374b17ba51a27fd3d5689652873157478dfcd9e69d94359b5b1d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\photo\plugin.plg

Filesize
4KB

MD5
5f97feebfc5fb31e33ed460629bb3cd0

SHA1
295ec37a86ec626089ae1a852b8cd8e3893fad6c

SHA256
d99cc12d5bce29d5e37384c277cbbd6d219def550f2d572803ed75b8375379b6

SHA512
5cfdf6db0cda4b5b5b750af57df1f8ba4fd0e58eb9f9faf357de0aa56e1c598d78eddfbf4288e00be65d1b08ff4c6885a66f1371f82a65c271b3d502f363101a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\plgpack.plgx

Filesize
6KB

MD5
2cbcd7e7cc9515126a0ae9be2933dfcc

SHA1
46c14e228df42fad345cf7514214a0d8b6206d92

SHA256
e0c184f4d33a1823ef443c62f0b2346f8f89ba780c8cdc458ee5672f52fb20a4

SHA512
c52f70a48d8695dc7619f86a9dc97598dece12894f544bc64f2ddac492ae2c19ae3a5122d70f0b750da840b2aacee4605d62c74ea368cc23a1a033e1b5d8a4cd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\qing\plugin.plg

Filesize
8KB

MD5
770bd3bf8ed345d1e4fbf150c08640ef

SHA1
4bc0e3d204aa6cbbd630f14dc9c3bdbed6901061

SHA256
a796311a14795c3625baf996eb386d8b28765df7a848f5a1498182835a11bec6

SHA512
13048df6b6e6ed834f6eb89292851743c83d313338a0fc86b680615cf5ab632de7347eabd291928b4e0d14cefb4b3adfa7088d1380a3844af24d87750ab046e2

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\wpp\plugin.plg

Filesize
16KB

MD5
82cc490d44114dda08a888e87f41c8f1

SHA1
596bd3c25d6ad06da7083fba18bf4c50732c4eb0

SHA256
e4c48de0472cd1b5a741cb15f741e7b22148b12c111201300ef5fbe62cb0f66e

SHA512
05865474b7960f13e5ff290d487e4a643a18a64246f8c8661af04960076403df0c3fd7c3a3dd705ef2a4115e25f310f0ee8c535faef8f18a93905bc9593ee851

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\wps\plugin.plg

Filesize
16KB

MD5
bdd8c3934488939c56f085e23cce2608

SHA1
cddaf2a460ab4b69515779962418dad830d21db0

SHA256
ddde4fbd803e5da0059bd9f57887f80945044d386c78ded9b405927b7e684c73

SHA512
73945f5ca5e95f91268f04ae2b6aa5feb3187a5798157bd1f2560c421665dfe7a297096c239aa3ee017d7d934b16fdc3f11ee9a76db27600a2ba25605cbc33ce

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\wpsbox\plugin.plg

Filesize
776B

MD5
a1097a1b6e56daade6735b33a43a4dec

SHA1
8204f4c6dc378cf14b6a1be58b7f9e153599d9c7

SHA256
e93823f30b04a8a9273173d01d3347269642fe6b7cc165b176b55c20fea36f3e

SHA512
d13e6bbc4f7e2c58b6dcb24b2f12be574edc1809c1e86c50ad5650ff3090b7c67617c0ba0bea5edd9f9b8cdf988dd8e175d13be66c646848f450756e2ec5a5be

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.18911\wpsoffice\plugin.plg

Filesize
8KB

MD5
185bdd05b0b58e4f5789a291e63ccb0a

SHA1
48abc8151c40906b62cae435e65271e73c7d3d15

SHA256
5f00070b209c594d31bba708e1fd6e471474ece16a8e8b2945ed8afda32dd677

SHA512
464849316b42b1ed0bd215a91ef67dc6ffefae5c9d7e1b3852bdaf2918c15345c502c2c3f9aa74f274cab846fbd67dbc1f88f1866a0c6e8820c14f1be520af34

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.67\chromelauncher.exe

Filesize
107KB

MD5
2eda531e451bed15790dbeec759dadba

SHA1
45acb533eb7d9dc88a81d0c282af058908397e37

SHA256
1c9d5209c70720c2629d59e5a8ac50f6c79f64fd5d9a916cf18f08612cd6c143

SHA512
3e8a77327ccb5d357b153ce2fa14f2fdc18460e278ab5d746ec7d8d5bc804400efad8ee9755ee9b6a5ea10a0b9030b956ea6b6d8d3cfb3d6f56d81275a15c5f8

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.67\download.7z

Filesize
2.2MB

MD5
5fb168447ccce6339daf768ca18713a8

SHA1
fc8e642a062ad9432c69f3c31fd87bab70b6358d

SHA256
34ddd03527a25cf483764612f708d2601b4531a63a47d98f66ba7679fac9e80d

SHA512
86507e9e29be0148b88a041f98d47a757c4996fc64336aa1371820008fb1b3039021724dcf2ff31de24cc0ffe4a1ff2efb286cba22ae818f090c20163a4ed847

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.67\run.ini

Filesize
443B

MD5
4e1aecfb8f941521e3a16cbbcf1e3418

SHA1
d61831a61049424ce80f5076e91be965d764e32e

SHA256
bbc30b97c2d501333061f4f77439a2da8e8454b8cf5602467af260c9bebb6b18

SHA512
ee74b3eba02b80ca9032d1c1afc5b436031e57ac4a7a52924185b2c8eabae81f3309a089fb9f23864b43363d9d3587a7338da2c4e1c33991d5648ec361c9a9ef

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kaifeaturesmanager_1.0.2024.7\download.7z

Filesize
79KB

MD5
6c89afe39ee5eecf2d4878c845bdb51d

SHA1
db5beac5106488c5a786bffe8df2230fee1f8d7f

SHA256
d25544bcb4c0b01024dfa10d4f1e2fa6c8bc1c353b502dc39e11151410b6ed1d

SHA512
55930a40727489fa83c9d6471a95ad839ecc068ea31debe01489e16854bd5fe323e7904445a5233adf16c270cd719927393f4f951406d6665f624d3a67e5ff32

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kcopilotentry_1.0.2024.14\download.7z

Filesize
168KB

MD5
5ccc874292110eaa08b17c30a7411678

SHA1
d8fe3570f7760b6cbaad74c3c1c886aea96516be

SHA256
f5ff4b734a78eddd128007277cccf8a1be8217bcd29ee36e01499b0c16a6995b

SHA512
32decb664c324c5b5076177272766bfe64524ebe6086d1025b09ef3a3c4d7199da930f4af2435e7f8106a0f3dc9d255db6ad8be24eaff7fccfd5d2e4beca326b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kcopilotentrylite_1.0.2024.2\download.7z

Filesize
431KB

MD5
ea004cc4318b7494e456a151d4d1ae69

SHA1
ac2d8f794adab65186f1a38ec618655ace2fe447

SHA256
2494391a350d6a84d5068646ae7965d492473b89afc6b6105aa86d91e6ab3699

SHA512
6c53a9bb405a9e21730f8e8b641bcb49cd91075672ddc1055ed7d7d6d4f7805e4186d597b7a2117bab11e6c01ab1526542433a367a69a2d95c83d6d04d822615

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.172\download.7z

Filesize
318KB

MD5
4eba9776ecb456532cddd01a338f7423

SHA1
7f4fdf8386e1719e6f1c5e6b7ae0239aeec64057

SHA256
438c6a1377a3216a2c50c598e34ab3d60284b6ba0533f5a0eebcc33e2b3e86b4

SHA512
23daec7964953e949f523882905a4c6a9815bbb62fdea3407d741bbd4b97ded074ab8297922bf862519c7f1ba892b4e096711362d74ef434f37cf84193218ba0

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.172\mui\es_MX\kdiagnostictool.qm

Filesize
3KB

MD5
5afc7d8ba894df59c2b3f44726cfc2db

SHA1
a21a7a8fd943455fa47cc5d950603bf1bc5a145a

SHA256
4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be

SHA512
a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.172\mui\fr_FR\kdiagnostictool.qm

Filesize
3KB

MD5
62f3720e184f094c874fe0eab7f0f598

SHA1
cdd858a80bbd1268e7c5278ebe19c35659871d2b

SHA256
bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14

SHA512
14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.190\download.7z

Filesize
144KB

MD5
2a8407b597b246bb5b4038709d45900d

SHA1
3ea5b7cc094606c207d02e51988cabc73ad99da8

SHA256
1b4af117f1b5e2f1aba0744a7a10db1dbb800aca376a8cb157f35b8ad3246658

SHA512
93ae271efe74377fe3dc98bb1508780d4d5f7059156eed535b821cdb843dd53b5e0f6f09ed8884c6badbc09c57d9a029dd8dacdecbc909bd5f3c4a85aa2ce9fd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.190\run.ini

Filesize
292B

MD5
da4b75c3d70c08be415e7b25abdc11cf

SHA1
c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225

SHA256
e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36

SHA512
0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\download.7z

Filesize
1.4MB

MD5
ccceeaf73b49365309316cf11248f966

SHA1
b51547425c5dca5eae4380b4f9bcdc3ab4386aa8

SHA256
110df7b773e9dda8846000ad032c04ed7ff6793c335873883b71cd8a8e26939c

SHA512
e70859071a419e4ff85ef25e51a624074a9c7a38d1688012743f8612537f69238f5188df994a7e3e422862cb8e15140fe5114e7a014974ec7fe06b05c5cff7c1

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\html\img\loading.svg

Filesize
1KB

MD5
544223e85768fd134633a1af9d5bf536

SHA1
5536a0023ddbfb2ab67e9ad8ca4d38c60f413b9a

SHA256
a3df9710c7e09fd8cffc14bfe45f5a1576deb1846ced44e5050b34caf5527049

SHA512
a5cacba054d41af8efd607074c02f36ab731b5d6bc9ffd3bd7ce6b09a4af09b31e29359eb965728d2a00849467b1af66e16186a0c07b4415b3b423a5ea4f68ca

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\icons_svg.data

Filesize
39KB

MD5
8e1774c0fe66f4bef544d36308637bf8

SHA1
222b2f630a0a6f6f150a9b5c477e438997e8d797

SHA256
77453126b08738d939f4a9460b9a652d4402981854afe8e9e2666533dc45f9f1

SHA512
7457c4853f80b08f0f87cf7ac8cd7e0326ff58759ef7d6c6a364609050b8a82440426d3b18e5db55d8886f862bbed17ed1e85b20cb48603d533a89c0b3f3cd00

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\css\app.css

Filesize
1KB

MD5
83a68c2c85c5f145ecaa9413c88691b6

SHA1
d1a020800bef51b4d43c676c0e88ebafeb9c8d1b

SHA256
a8c3bd7978e4a42ef7d926c3caf2365847e92abb091e7c11ed36614138c5730c

SHA512
58fbd9db0f79f477d80924df69239aa232ee6377ee3a63c2568b4c90c333312b6a3169d7b6c3a01dd805aaeaf1cae04c7c762e0e592db1d20d74c94f5a150ab7

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\css\homePage.css

Filesize
580B

MD5
e2c45fcd2c69df9f496b2bbb22c6d48e

SHA1
84afcc60b11cea137a017ad0ae114e9e32527619

SHA256
ba665f18d5d56cd4f1d8019a7de6c5eaea80536a42f94cf3446fef497ba30069

SHA512
fe5833016458ccee93165a02e782397f67b0f8abaaf4fd620146470077a2bb7700eb7af50d75d787662649b65eb6a879c55737df37d1818cac0ae2635ca5ab74

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\css\multiPage.css

Filesize
2KB

MD5
c7740e680ae5b57982d15ab38e10afdb

SHA1
526ab869fea8e88ff8231c2b866a0c73dc7d0e38

SHA256
961ab1402d1a5746b2394b7e032c6ba9a3db6c7bcf531dcbb5202a37a8f0e2f9

SHA512
ef353c60ca54ad0b2a5df02d4b18a593a97c7542090a0bcd5db3681f68f4884f0d7990a250c9ca3200cca7fcb281b16dc61ceb73eff712fe53a4c6186f66b7c4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\img\icon-close.svg

Filesize
685B

MD5
443ad49f8d1fa9e366534b547c321cc1

SHA1
0d6be081ca866642fc0807d1c1f661fdeaa7a580

SHA256
c4bcd8b8845597087720fd45ec897b059c14d7d334d6ac2e24d896fd74c39ec1

SHA512
7e5b42eeb96b0362b4612b082f33f855ec1e705ab97ce446086a7f6a9efece5ab9b1aa8b3b02d4a35390399ba3a7313c745be39c0d56289c39ada0b65045ff68

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\img\loading.gif

Filesize
114KB

MD5
c1f84a35bab3b188f418ac182a4c1925

SHA1
1cfed637d9b8c29aaf283c4cc9c3a7ad5c473d54

SHA256
82d8414b3b6cc2eec424bb3467a0e2d5c7b29bd98051e2adc4c86b071c2059b2

SHA512
efb5073f04681970c0b4e75b8cf903360f7d4efdb206fcc7675113e2ab1d35eb1d009a458b20de07ff11c6b1bc928a87a8873cb8c340cf88308c1b778222305a

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\index.html

Filesize
1KB

MD5
285a619384633f9b076a9fcf9ca08703

SHA1
fa0293ecb1adc619e3250bcc039cfdadf7903209

SHA256
340a2528177d7cdbbd4f248823fe3910a1c1c1667ed905a27ba384fd403badff

SHA512
a54ac06f88d497357a6b5b44e13e379b4529dbe70f4bc8771e9579ff7b818af633c9bd3eb73c8159c2aa34a71d7098fd4741b4f719fa2b63b7decd30aac53c6d

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\js\app.js

Filesize
15KB

MD5
fb0254176a3f42531833fa896a153910

SHA1
04f5bd747bd5fc3e7cfde37a68e894b6e30ec03b

SHA256
55b140d74928a11af5051bdb2ab7594882f1e19f16d1fdeefeb97111d7d8aac8

SHA512
040b2f60cfce11a72ca176bc0b16d3b2894fe572d7c151a4787a1f0b58dd6319d31cec0b0db336d99e249607ac5895697fcadcfd8d7ef5dc3fc66db2041b0491

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\js\chunk-vendors.js

Filesize
327KB

MD5
c13bf6372076e369fd2bca6aaa2791a5

SHA1
37105d1cd19f1dc2057dbdc2db29fa86c7b93be6

SHA256
240cae849357b5643038e2b7eb9542659299747df9017ac2467e602a2e38f911

SHA512
236b855b49fe492f89d4df199912181be57959f43458d04f24b1bb41f53f67819c1d8e8b03cea084666cc6f57887bebad3371abc8856588236a12cdbee464e6e

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\js\homePage.js

Filesize
3KB

MD5
d18f2f15b5e4f2f7747fdf7c9277c260

SHA1
bb3b085836b50dcf9d6ebb745c79db0751ca5832

SHA256
e3876bd3c6ba9783efc57cf65760cf36d73b4ec8dd15f913b404f274fca76f05

SHA512
869f0135e73b460b9f28700d086efb2cff998186e5c8aa6f015a1f67332e52bc1fbcf6ea1abf20b353899a6c1e91d69a8419befb2be454d650827135fe9303b1

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kguidestartuppane_xa_1.0.2024.16\mui\default\shortlink\js\multiPage.js

Filesize
48KB

MD5
d592f77577638144a3f3d1069e3c4fde

SHA1
175ac25b546142b37234bd327bb40882fe99e784

SHA256
c3785be984f4b336f6aed38debec4b66039156290a93e0015043178f194543a1

SHA512
890934ddfd41ee1bdf769670e4078ec5bc2fe0e1b11ee721efcb3bd635b6cfe6729c14b067db0f4f766e08fe3cec835da0da13085fd089991f6875851d86364c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.32\download.7z

Filesize
277KB

MD5
6091bd82cf8ebcbdf551a812077e9149

SHA1
dd9fb66db29f19e17950dfb73885bd0d70669e3c

SHA256
0853a3f8b9b3a76269ba64edb80c7ca8cb0de5f683fdbce7f32f57eee63efb7b

SHA512
a3155caf789e026eea3fa3140160d4ee6027b16ecb0b7075a7939a4fde49d37c03cac9f61ec195044593c279d6ab4e1fdd0c90a7ddbd30bbb885269f4896144c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kheaderupgradenotice_1.1.2024.32\res\static\js\manifest.js

Filesize
800B

MD5
8def9f056a8244b677dbd42be7bfc987

SHA1
460f4946c829d43aea3d731b2fc2babb81ed4b71

SHA256
77b87f2e8468b07df6dcb7c12fe7cedc619153bb8489b20e12fb5092136cc948

SHA512
2d00b432a7b8f2245f600dac1a90052e6baae8e89c5766015d65120917d94c8cfe3684f86c2f5a3af4af31d635c081fe714c2a1ec6873801edd0793ebb4eb918

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kmessagepushcenter_1.0.2024.12\download.7z

Filesize
72KB

MD5
dd775f6fdbfb9627196a5b1af9532a62

SHA1
45f6076bba397e8412d89156670512121022be55

SHA256
8581af2a8acb1a7fc7aa57f97e57c110345fe643d06e2419b88fe4cd9e052e44

SHA512
4713d0b62653086831125f6380baafc78eed14249bcf9971d1e4581a34ab179ba1285907d2489c4cd7a8cbf014e311655212e9a4b7573a7952c09e9feab816ff

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kmessagepushcenter_1.0.2024.12\run.ini

Filesize
322B

MD5
329e569b9371da4371c8cf0d0a4ba8d1

SHA1
1a8065c062d2a7dcf27db3d44b39044c230cff9d

SHA256
7c61ebc61f25a91be8271e8ce07cd80132335a66785c4b5070f66bf8d69bdab1

SHA512
687d815a44fbec7b9f25325b0fec44a655b020c9c03cb87263cf3290e756066b40d216dbce92c2930401aaaf021b3ecfdb54534b4ae6d5da21a3343029aea675

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\knewstylewebwidget_1.0.2024.48\download.7z

Filesize
29KB

MD5
6575b3628efa9620d0b12150f75cda3a

SHA1
9970cf91a608a24d0044bf685f123e2b82bbdcd8

SHA256
afd96d761b2d23ef92269526de97a723502b7308459c73585c8e427ba6e4bb51

SHA512
2a98899426e7c17e7de136a9bfd01b2c231b0692f3b746e394b42db67111a135bf5ba70029fdafac3d65b5d0fc853f80d042f89e4d72366d93f7b7c69616e317

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.31\download.7z

Filesize
2.7MB

MD5
75145eb8a77c9518ed5da72aa0072080

SHA1
e69407bd35cf84da059af78841043a95c51e4554

SHA256
93aaf542222d8bbb75d203be23c7842cf441f9df9a2a31c10db81088cef75187

SHA512
2bdd900b39bba56bfe68015436d302393abf35cf54aa567647c1a217318aeb3ee804acd5c6093731dbf9d124f85d7fd76ac40f8b75d18f92a4521a4f78d37a4f

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.31\resource\premiumcode\element-icons.ttf

Filesize
54KB

MD5
732389ded34cb9c52dd88271f1345af9

SHA1
8058fc55ef8432832d0b3033680c73702562de0f

SHA256
a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2

SHA512
e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.31\resource\premiumcode\element-icons.woff

Filesize
27KB

MD5
535877f50039c0cb49a6196a5b7517cd

SHA1
0000c4e27d38f9f8bbe4e58b5ce2477e589507a7

SHA256
ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17

SHA512
da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.107\download.7z

Filesize
703B

MD5
0edafbd62638a75ae8b4debc9fd0b3db

SHA1
814e953384ee2771bfcde0584b0f6f5691217ede

SHA256
3332953a07daf624094590bc8d2bf9d4ff1ec12c53a43a7310efa11c7cfb71e8

SHA512
ab42c6b7922f7137779417bdb5246ff660133f8d566a54fd067ecf787d27ffaee1d65704a4b9574a6fffede9b497b93638f558ff2689d375017d5b074ec88120

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.247\download.7z

Filesize
22KB

MD5
af7cde4657b32a0058f659dfafacf4ca

SHA1
fe27cdda3c9b68bb74232271fe42d4018f1ab612

SHA256
2b27b65dd5127e1e0a981bedb3a9378015e6280f0a2746175e58a46dd35af6c5

SHA512
7dc51d1e05d4162810ee53246f756132c32c2c59a0ecd24d77048086e7dda89cb0af0ee8f864689e7c15647040867461bd1cd07055755ad570fae38d9da129bb

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kweboperationtab_1.1.2024.1\download.7z

Filesize
19KB

MD5
4a30eb0cdcbf96f908b6f11c170e1e2f

SHA1
4cafaae0245cf2e80acb38ba491ddc8429156f9c

SHA256
0813dfe0633730732166c259a0c23cba7f6b7e0444d3fc3d64cd4258c5b33d51

SHA512
f9a3d57be5598b03c4e6abbd33ec5b75ca81068d8c5dfe29a79b98507a0fe464093c4ff97dd583a971fcfddae28f0da1aef23591e9721e94ccfade11af5d081c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kweboperationtab_1.1.2024.1\run.ini

Filesize
173B

MD5
765c422cea53cab2f5bdd7954e220686

SHA1
28fa977b2c4c8700a136870f77dc5d9cd6b42be1

SHA256
fca39bfd9b191988ebaaa0061c425f27e791658e978720295e924eaac41d3a39

SHA512
3df888be78b24cc0329215e85f5d8ce9bba68bc5dcb103139b0a7765aa28c7e7470b3fa6a681c8ea2d0ba6551a3c29ef9ab85d7d733c5f16ea89ccad6794abdb

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.61\download.7z

Filesize
66KB

MD5
70aef169a3db443b7dba7deae20c6184

SHA1
c955b7bcae21dac053d368c103cb6a0829dd0671

SHA256
06b0be6f216189e0a1a0c542eb8355dcd79a93ec714bb52e2e06275556bb7038

SHA512
62dafcf667c15ae021e5a37799836c60ce1dc79cac7c20de3ddc68909e08119d2f62bef539c018b7db75e0be9c202bc4d4db70c2dcf5dd41a58eac43c7f78a91

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.61\run.ini

Filesize
311B

MD5
236e5baf01686e858f69fca4cabf90cf

SHA1
5247a8fe0e59ead62affd63a9f8e9c4f13f05def

SHA256
226e9b2204745d5b685d0d22a6a3eed8b7f2374d0aeee799f4320cb500235df3

SHA512
ad3b13639da06cd30ff18e3c4cf2b5a470d28fd63ab8ea84a50c10ff5b4cd0a7d8a6344c5e3a501a8f5da351a5164326b157a1bfa742c1a65ccf3972c3814854

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.51\download.7z

Filesize
5.6MB

MD5
403868cfd7730f90c1248f1df89eed39

SHA1
1e01c026bd52b056b64d480fb164dbdf168ead69

SHA256
a2bd2e0c97e14aaacfe09172dacd5a6bb38ac9046c521cf7059b73c23cc34ed5

SHA512
51808a90494c0d4241222602d2b2fa809d461479528e3448af5f23265b00a3196c07af00c30b3171d70e503138e95f04fabfce9f07977f0e6b909af58dfc8065

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.51\pdfwspv.dll

Filesize
414KB

MD5
708dd512884713bc348fcd752d064dfa

SHA1
d4e169cecf0745968b6e9967d662e254753df261

SHA256
920a190e59e2e2aebdfee4c697385bf0967738457fba1b408b9abb97c7bf0828

SHA512
5a7ffe782b52ed6da5f062246eb60785bc6a6fda8880d184c056f48c965ef45e41e717d29692cee5994d5f33fb37618b7a169b1a52760bfd835fa5e5c3a3dfa7

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.51\download.7z

Filesize
21KB

MD5
9fe8e793eaa059abeca4b5b276109183

SHA1
ead5ee371ae38c6a2c1f7958cd422c258735ea40

SHA256
bf4a4a71b47999de8af088581ae4c87a0c7ade7e643cb503f83bc7bde8c2e6a6

SHA512
5427dbbb8037e84d37c31bec57ab3804da15f3303fdab38b184022c206075e4ff004cefed981128c6382a0a98e8dfc6c60fd7ed190bb327cc222837745402148

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.51\pdfwspvreg.dll

Filesize
51KB

MD5
913c1b9663d3eaac1fe37b6918a8af94

SHA1
0f6e4815e0a57dec21797ecb6e428c5e50825e2d

SHA256
9c897a8c5572fbd35640cc4c46b807e33bf8f351785667875795bf337d2843fa

SHA512
a66ceab2bd86f64397efdbf1888ab4f30971c33d07d202a4b68c940cf3e66f69d79bed7969bb9db1719fafc03ae1089e89bac1b30d829dcf1fead17bf0d51fcd

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.51\run.ini

Filesize
253B

MD5
0d914e316c8fc542e5685b1598899979

SHA1
52e575fc0c66b60cd79d29ae4486944cf06995b0

SHA256
484e6146403c96eaeead06a97a8ed86d67334a9185bf009a44f7b1cbe5402e2a

SHA512
77ca461895bc65f31dd8fc5182dbed383804b4d3315e210bf65195776510bf9c09c11d87589796ec1bd272f67762e5ba28be4d64b8a58f2577cb6da79dbd7319

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2024.29\download.7z

Filesize
7.9MB

MD5
597e5378c44b7fb3acc12a28ca4b1e02

SHA1
b7956405a90d41d04b19e22e363faf617ad2a7e6

SHA256
dc9f06dd3d5656e3bc9131e9bc6bf7f5377e1cacc59a048a0c0af1e844bdf96a

SHA512
2df3098b6cf0ba6e10959f585f5ae0dd4eba44132bcf49c2a0b5f35ec86c2dffc440588f3028c276156d528c649c1617c7484e0310f378a79615957dd2d9d8c4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2024.29\mui\html_loginmenu\run.ini

Filesize
303B

MD5
c646b8698a216d20e84200150b24eb0f

SHA1
d6c9929f7197d6d9a7406df5ea28f04d36fb0ed4

SHA256
9378a1ea8baddf207fa68aff55acf14f68e348c6dba6bc800e25da37b84a740f

SHA512
8c2e63b2bac753a285ee0181cb8fd3e27e21771fc3ce9a28f158b43dd1c377945fda17652bc742b30e573cfd45660db642e68db49680bb812d9df1eeb9b2656e

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.262\download.7z

Filesize
578KB

MD5
daabceb5846c4b13dd47646ea9ac897d

SHA1
37957b95a68d4aaf9ff3ea7c29c96cdd76bd9e8b

SHA256
0a252ee74273b012c91e9fe38e7b370d6d101a8dd5bfacf15f526b53c561acf1

SHA512
6e25acfc133ee00f859310e792e75c58966b23662c4f6a30562949b26fcdaf923d689efc7c558f45d45bb7125096d040a14a9166dcf3a727f7590f7b4ec2b81a

Download Submit
\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.18911\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
3517cd41fb70e3ba9fd8b5f4d2050853

SHA1
621a79d4d0d48e0c9390039e4e745dfca04624c6

SHA256
0b957236f4938e539f6d02a2cb09fe9976a9ecfe3fb28316d53c80bb4bc3bdea

SHA512
4b921eea49a03208a110daaadf5dd9d28eef39fce4d430e29340061ccfdf1cb58d2b98a7e2fd18a1109210a5ee6314f12db28247f30dab97c73e6f2458ec26fd

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
be2ef211c831fb6057caea927056563a

SHA1
fb0d2a7ed624398809bb0ddd8a8ea022556c9245

SHA256
c0c759f9e1a025b9357142f636a6762b81dc56ef11ea7a8642c431a9ae67eb0e

SHA512
2eebb10862065a25cb9210736be5b7de418eaa07e55ea7b2fb6150856cb72c55ab19bbefc7c49ec506f15358b19b18566f97ea17a554db0ecd70d4f998ebe64a

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
303f5d0170ada52c5b90d889ab81595f

SHA1
e7a80ed76e6a0c7c779b87ca5f34fdf67652992e

SHA256
41c9c40a5e362993e90168af9a919386189024f54aa33baf506f2fd8ece056a0

SHA512
123621ffe29a8297d6488d69ccc1b25e85b44b3f2bf24dd56e06008061fc2c7591870c4c5d8223d3131be73bc577ca9c54c41adeb7a0284c5d7d663f7edb9648

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
5eea7061167c573184a66957e3f0ae1c

SHA1
55c560ea8991340838271e06b43a0cf6238cb72a

SHA256
9d946bea1e14917886477b5b052751a6b2395cd5912f6028ff042b8375b004fd

SHA512
bd789597f6c5e58d258c81e2244e1ec7aa032ba7f6beb414a6b26064deb73008e3abe63a46d542a8775c3909ab305b481e240cb6a4f234da2d27e8f514cf5bce

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
820ecc5e5d19efa87c517649e39ff9d8

SHA1
85a4adb69bfdadb2102e1a8d2e46cb012dfa2cc6

SHA256
74abf4186c624953639686cf18f43b3c2384e3a88566e50a7e10deab97e20684

SHA512
b350e00c64b44ae85f824294c29876ebd9a9609cb07856a425fc4bbeb233cf24c151b12d19c1842929f6590837d1bffbc41f2b32d049aecc948b708e157c9438

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
9d9a978a5afb92e59ab1fdbeffae0365

SHA1
035a45474fdfa885b323a7149d606a646e1f6726

SHA256
d4a4a3fcd8b4d23cc1ced0d818f01d869a28d4e2cb1d11a4ea64cc63cb38333f

SHA512
c4c090ffe2fd9dc3ef02389814a23fd27ff76ad0bb3ebc6c9c7422fbbc51bd7cfc049fcbdbad89737f96887be90e09a4aeeb7bac48098cf398f588d53a25e7b4

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\kpacketui.dll

Filesize
2.9MB

MD5
e10a99406583a469f237a22262b5c146

SHA1
a6ef7da1b1c04b9abd4568b831487a8c12ff2a40

SHA256
400aa8843ba36752a44658d9b94ac1eb2c13ee713b9e2f3c7fab0c5fda2ed290

SHA512
aae3102e6616224be47c5ef226dbbf60aa63fa4b17dcb30d178c4f01a55cf8ed0dd0fdefc806808ca4b7123e986c0250d4b650569f1fd9fa1b7ace877ed428b0

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
b480020e850eef0f7e29b7de8ef2932d

SHA1
9f8a8ecef875e914aafbc507994e46b6faa5df24

SHA256
bfb4b52dd2702b41fb3caac651943d82d19c99e723b1aab4adc0512d29bf729f

SHA512
80fb5efb81a0394f943b889b8921e2c12b9fd775bbe8f853f0b33cf522e22b63efb407f272dbaeebdeed04d14ba58aec20a67d25ef32e3dea0121a1631568f8d

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
d9770019407e188a48958e70e5d40334

SHA1
002465bc93da3d4a2f5b54e16148f8825f8bd855

SHA256
00768ed43ff8419cfdcef24030db6d52447671739bd8e5ddd28ba177007a1506

SHA512
41528483fe4131e55f617c47f8c5b4657aa55698959e63b886a0937aeccc2846f6dd3f43fe93488f99fb2ade908adf959d7c69cdb63c650e02c4e200818c583e

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
01373f9d2c39ef7c2dfc44ad58f3a96f

SHA1
1058f3d73f2f2d8bd87b8c03152cc7a0f4ec17bb

SHA256
4cfc2acb4cc2d91d65d8af2fbce6c593be8a495be6564fd0eed504c890e27a2c

SHA512
e994d2ac55788187747d4ccdd63ce8c20f70d1935c494fea60a350750b79bc593f97e231624649afe1234984eacd47dea848c56731811ff6442d12b9882ca202

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
efe1164b815de4516d5b621c904f29d9

SHA1
da31c52cc3bb16b8d3335d95800de668d0aab9f6

SHA256
798be93c7c2cdc7c21b7b7f3b23f780b2c8876514666efe38e0fde3d5944eb33

SHA512
df738e165bc6753d7c4bc14f417d645d06431c291fc0a488509e6e74c8e6e8077c3170bfa287e87f88504eb4fce02bb6c55de6d0133b1c933483612bbf133f03

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\wps\~f777178\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
memory/932-4316-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4314-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4307-0x000000006FF20000-0x0000000071660000-memory.dmp

Filesize
23.2MB

Download
memory/932-4308-0x000000006CC50000-0x000000006CC60000-memory.dmp

Filesize
64KB

Download
memory/932-4309-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/932-4310-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4315-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4317-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4313-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4311-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/932-4312-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/1020-4341-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4340-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4339-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4342-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4343-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4338-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1020-4337-0x000000006E0F0000-0x000000006E100000-memory.dmp

Filesize
64KB

Download
memory/1020-4346-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4336-0x000000006FAA0000-0x00000000711E0000-memory.dmp

Filesize
23.2MB

Download
memory/1020-4344-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1020-4345-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4417-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4416-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4425-0x00000000006B0000-0x00000000006BF000-memory.dmp

Filesize
60KB

Download
memory/1440-4419-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4418-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4420-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4424-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1440-4415-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4414-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1440-4413-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4362-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4361-0x0000000000420000-0x0000000000437000-memory.dmp

Filesize
92KB

Download
memory/1708-4363-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4368-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4367-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4366-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4369-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4364-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/1708-4365-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2068-4472-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2068-4470-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2068-4471-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2068-4469-0x0000000000370000-0x0000000000387000-memory.dmp

Filesize
92KB

Download
memory/2068-4473-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2068-4474-0x000000006E0E0000-0x000000006E0F0000-memory.dmp

Filesize
64KB

Download
memory/2384-4446-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4447-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4445-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4444-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4443-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/2384-4449-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4448-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4451-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2384-4450-0x000000006CC40000-0x000000006CC50000-memory.dmp

Filesize
64KB

Download
memory/2684-193-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download