Overview

overview

7

Static

static

3

f9e710f811...e7.exe

windows7-x64

7

f9e710f811...e7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    84s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe

  • Size

    5.9MB

  • MD5

    5dfc1d13a567b959767dc96b0b47daa6

  • SHA1

    855d1463bee7b1bc017dccd65ef976478e3ab994

  • SHA256

    f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7

  • SHA512

    cf9ce83e6a52e48a938afee65fe0c81ec9cd43dcbe85aa88b0dd3e427b0defd69af04557a70685ae69621b92cc30826534937cc23dd40d077a2842ac037d4d1e

  • SSDEEP

    98304:6ILNTiGmEf2h6d5LSVE3mWvqdiabu8qohOA8bElxj5b8/vkZ0xTQWjq:ZRlXLS2xicDQOAlx1ovk0RQkq

Score
7/10
bootkitdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 64 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    PID:3496
    • C:\Users\Admin\AppData\Local\Temp\f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe
      "C:\Users\Admin\AppData\Local\Temp\f9e710f81111aae5eb699f39a09c8b4fa02815335f0707c85bf13012d8daa0e7.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
        "C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe" -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct=en_US -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg -appdata="C:\Users\Admin\AppData\Roaming"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5508
        • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
          "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          PID:4064
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -regmtfont
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4788
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -setappcap
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5308
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -assoepub -source=1
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:5132
          • C:\Windows\SysWOW64\openwith.exe
            "C:\Windows\SysWOW64\openwith.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
          • C:\Windows\SysWOW64\openwith.exe
            "C:\Windows\SysWOW64\openwith.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1592
        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
          "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -registerqingshellext 1
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:3280
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\html2pdf\html2pdf.dll"
          4⤵
            PID:1280
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -regmso2pdfplugins
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            PID:1768
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins.dll"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1940
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1988
              • C:\Windows\system32\regsvr32.exe
                /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
                6⤵
                  PID:3060
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -regPreviewHandler
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: AddClipboardFormatListener
              PID:1064
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -assopic_setup
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: AddClipboardFormatListener
              PID:3824
            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
              "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\\office6\ksomisc.exe" -defragment
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: AddClipboardFormatListener
              PID:4448
        • C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe
          "C:\Users\Admin\AppData\Local\Temp\wps_download\2bbf0d71eec412cc1ab1d5f9969c87d3-15_setup_XA_mui_Free.exe.601.1130.exe" -downpower -installCallByOnlineSetup -defaultOpen -defaultOpenPdf -asso_pic_setup -createIcons -pinTaskbar -curlangofinstalledproduct="en_US" -D="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -enableSetupMuiPkg="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office" -appdata="C:\Users\Admin\AppData\Roaming" -msgwndname=wpssetup_message_E57D3EA -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setlng en_US
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:872
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getonlineparam 00601.00001130 -forceperusermode
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2000
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getabtest -forceperusermode
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:5308
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setservers
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3440
          • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
            "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -register
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Modifies system certificate store
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins.dll"
              4⤵
                PID:736
              • C:\Windows\SysWOW64\regsvr32.exe
                "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2744
                • C:\Windows\system32\regsvr32.exe
                  /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kmso2pdfplugins64.dll"
                  5⤵
                    PID:3688
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assoword
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4520
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assoexcel
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1712
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -assopowerpnt
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:4544
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -compatiblemso -source=1
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3080
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -checkcompatiblemso
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:4996
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -saveas_mso
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:5276
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -distsrc 00601.00001130
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:1940
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -sendinstalldyn 5
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3480
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:1272
                • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\pinTaskbar.exe
                  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\pinTaskbar.exe" "C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk" 5386
                  4⤵
                  • Executes dropped EXE
                  PID:1192
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -externaltask create -forceperusermode
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3060
                • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" Run "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\ktaskschdtool\ktaskschdtool.dll" /task=wpsexternal /createtask
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3572
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" CheckService
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:776
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" Run -User=Admin -Entry=EntryPoint "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6/addons/ktaskschdtool/ktaskschdtool.dll" /user=Admin /task=wpsexternal /cleantask /pid=3572 /prv
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1924
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:4388
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink startmenu pdf
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:5840
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink desktop pdf
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:4816
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3872
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createCustomDestList
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:3472
              • C:\Windows\SysWOW64\regsvr32.exe
                "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kwpsmenushellext64.dll"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4448
                • C:\Windows\system32\regsvr32.exe
                  /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kwpsmenushellext64.dll"
                  4⤵
                  • Modifies system executable filetype association
                  PID:6136
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -setup_assopdf -source=1
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:6072
                • C:\Windows\SysWOW64\openwith.exe
                  "C:\Windows\SysWOW64\openwith.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2288
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpsupdate.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpsupdate.exe" /from:setup
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:5320
                • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
                  "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:756
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpsupdate.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpsupdate.exe" -createtask
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:2288
                • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
                  "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" CheckService
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4996
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                PID:956
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -rebuildicon
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                PID:4960
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -reportAssoInfo -forceperusermode
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: AddClipboardFormatListener
                PID:2256
              • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" /prometheus /download_lang_on_start /lang=en_US /from=autostart_after_install_onlinesetup
                3⤵
                • Modifies system certificate store
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: GetForegroundWindowSpam
                PID:1644
                • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe
                  "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:4204
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" Run "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6/addons/kcef/jsapibrowser.dll" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --rendererswitchflag=0
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    PID:4172
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getabtest -forceperusermode
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    PID:4568
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -getonlineparam -forceperusermode
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    PID:4556
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:1132
                    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe
                      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:1184
                  • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
                    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3480
                    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe
                      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:5084
                  • C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.93\chromelauncher.exe
                    C:\Users\Admin\AppData\Roaming\Kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.93\chromelauncher.exe install
                    5⤵
                      PID:6260
                    • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" Run -User=Admin "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe" -regpdfwspv
                      5⤵
                        PID:7128
                      • C:\Users\Admin\AppData\Roaming\Kingsoft\office6\wns\windowsappruntimeinstall.exe
                        C:\Users\Admin\AppData\Roaming\Kingsoft\office6\wns\windowsappruntimeinstall.exe --quiet
                        5⤵
                          PID:1476
                      • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe
                        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wps.exe" Run "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6/addons/kcef/jsapibrowser.dll" --server=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --rendererswitchflag=0
                        4⤵
                        • Checks computer location settings
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: AddClipboardFormatListener
                        PID:2556
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\promecefpluginhost.exe
                          "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --mojo-platform-channel-handle=1856 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:2
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:4456
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\promecefpluginhost.exe
                          "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --mojo-platform-channel-handle=2644 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:8
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:860
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe
                          "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2556 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --jbserver=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3016 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:1
                          5⤵
                          • Checks computer location settings
                          • System Location Discovery: System Language Discovery
                          PID:1068
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe
                          "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2556 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --jbserver=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:1
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:4592
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe
                          "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2556 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --jbserver=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3308 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:1
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:4240
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe
                          "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2556 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --jbserver=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3336 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:1
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:908
                        • C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe
                          "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1220~1.203\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjIuMC4yMDMyNlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=2556 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.2.0.20326/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --jbserver=browser.a3ba19ec797144349ea5dbc1b742aca1.20326.high.dpi1.pipe --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\debug.log" --js-flags=--expose-gc --lang=en-US --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3864 --field-trial-handle=2008,i,6538482048293183648,17517684176307550137,131072 --disable-features=TSFImeSupport /prefetch:1
                          5⤵
                            PID:224
                  • C:\Windows\System32\alg.exe
                    C:\Windows\System32\alg.exe
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    PID:5680
                  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                    1⤵
                    • Executes dropped EXE
                    PID:6120
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                    1⤵
                      PID:5464
                    • C:\Windows\system32\fxssvc.exe
                      C:\Windows\system32\fxssvc.exe
                      1⤵
                      • Executes dropped EXE
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1540
                    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                      1⤵
                      • Executes dropped EXE
                      PID:4808
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                      1⤵
                      • Executes dropped EXE
                      PID:4780
                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                      1⤵
                      • Executes dropped EXE
                      PID:4584
                    • C:\Windows\System32\msdtc.exe
                      C:\Windows\System32\msdtc.exe
                      1⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      PID:3548
                    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                      1⤵
                      • Executes dropped EXE
                      PID:5060
                    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                      1⤵
                      • Executes dropped EXE
                      PID:5116
                    • C:\Windows\SysWow64\perfhost.exe
                      C:\Windows\SysWow64\perfhost.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4632
                    • C:\Windows\system32\locator.exe
                      C:\Windows\system32\locator.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3700
                    • C:\Windows\System32\SensorDataService.exe
                      C:\Windows\System32\SensorDataService.exe
                      1⤵
                      • Executes dropped EXE
                      • Checks SCSI registry key(s)
                      PID:5608
                    • C:\Windows\System32\snmptrap.exe
                      C:\Windows\System32\snmptrap.exe
                      1⤵
                      • Executes dropped EXE
                      PID:6076
                    • C:\Windows\system32\spectrum.exe
                      C:\Windows\system32\spectrum.exe
                      1⤵
                      • Executes dropped EXE
                      • Checks SCSI registry key(s)
                      PID:2240
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                      1⤵
                        PID:1928
                      • C:\Windows\System32\OpenSSH\ssh-agent.exe
                        C:\Windows\System32\OpenSSH\ssh-agent.exe
                        1⤵
                        • Executes dropped EXE
                        PID:5688
                      • C:\Windows\system32\TieringEngineService.exe
                        C:\Windows\system32\TieringEngineService.exe
                        1⤵
                        • Executes dropped EXE
                        • Checks processor information in registry
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4696
                      • C:\Windows\system32\AgentService.exe
                        C:\Windows\system32\AgentService.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4840
                      • C:\Windows\System32\vds.exe
                        C:\Windows\System32\vds.exe
                        1⤵
                        • Executes dropped EXE
                        PID:4316
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:6132
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5540
                      • C:\Windows\system32\wbem\WmiApSrv.exe
                        C:\Windows\system32\wbem\WmiApSrv.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3972
                      • C:\Windows\system32\SearchIndexer.exe
                        C:\Windows\system32\SearchIndexer.exe /Embedding
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:220
                        • C:\Windows\system32\SearchProtocolHost.exe
                          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                          2⤵
                          • Modifies data under HKEY_USERS
                          PID:2752
                        • C:\Windows\system32\SearchFilterHost.exe
                          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
                          2⤵
                          • Modifies data under HKEY_USERS
                          PID:836
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                        1⤵
                          PID:1192
                        • C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
                          "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" LocalService
                          1⤵
                            PID:4504
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
                            1⤵
                              PID:6112

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Persistence

                            Event Triggered Execution

                            2
                            T1546

                            Change Default File Association

                            1
                            T1546.001

                            Component Object Model Hijacking

                            1
                            T1546.015

                            Pre-OS Boot

                            1
                            T1542

                            Bootkit

                            1
                            T1542.003

                            Privilege Escalation

                            Event Triggered Execution

                            2
                            T1546

                            Change Default File Association

                            1
                            T1546.001

                            Component Object Model Hijacking

                            1
                            T1546.015

                            Defense Evasion

                            Modify Registry

                            3
                            T1112

                            Pre-OS Boot

                            1
                            T1542

                            Bootkit

                            1
                            T1542.003

                            Subvert Trust Controls

                            1
                            T1553

                            Install Root Certificate

                            1
                            T1553.004

                            Credential Access

                            Credentials from Password Stores

                            1
                            T1555

                            Credentials from Web Browsers

                            1
                            T1555.003

                            Unsecured Credentials

                            1
                            T1552

                            Credentials In Files

                            1
                            T1552.001

                            Discovery

                            Peripheral Device Discovery

                            1
                            T1120

                            Query Registry

                            4
                            T1012

                            System Information Discovery

                            5
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Lateral Movement

                            Collection

                            Data from Local System

                            1
                            T1005

                            Command and Control

                            Exfiltration

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                              Filesize

                              2.3MB

                              MD5

                              5b1d71a0c604502a4ddd01b4ad6b47fa

                              SHA1

                              f9186b1b92f59d97158ebc560ff3c4b74d33ec02

                              SHA256

                              ac8c239415947dea77c08243cb2031dae164a73516bd394813ef8b1867787911

                              SHA512

                              b07e194759179b50933f3bbf183568184c3b3b5ce1cc97d0a849ea336e89034860a976ad0f4de532ce681a291477d31b3870559861605d48c1d1e9b8a2866c34

                              Download Submit

                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                              Filesize

                              1.4MB

                              MD5

                              331c4b73dac69df570b8f370e0f76ed6

                              SHA1

                              883fbc85edbb14ca65f2b24d20fd6da8f3455d6a

                              SHA256

                              8b1a7df687716953145e697a46aab18f67219bf8e291b5f62af08350102b3095

                              SHA512

                              a8615eefedc33cbcdb15d8c075084f44682d74e19052d92930ef529997d24edca1fdca82d76242500dd422cfbcd33bd5173a2bdcced633e8307dad08ef7fd66e

                              Download Submit

                            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
                              Filesize

                              1.4MB

                              MD5

                              68bf563dfb445c022091223083597251

                              SHA1

                              a73cc86a59b8608175e3a7ec853fc6e0a8e497f4

                              SHA256

                              695476bcaea0a70c96eb1db3d7d33e145ff83c851da548ea0aea9d51aa399034

                              SHA512

                              c2f3b2a92aba1e2ac012b211ddb548925a9e45d2c198d2d790554dcedf8b351f14de5aa7c434e3583471e9a09ff682ca51eef3d65718b9832b8fa6309ccb36c8

                              Download Submit

                            • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                              Filesize

                              2.3MB

                              MD5

                              9c0794c8ef2dd0dfa1b4e1fc36382024

                              SHA1

                              b2a74af1b6b569126a0fd1c447f86c8169b77b5b

                              SHA256

                              1e6f30071fa0a2b65c8a802e16e9b7f3d56a778c2cef000cba029ae8fe5ec7dd

                              SHA512

                              c6a9efdfb050930156fe608542b4c818964f7601f6dffdfc25884bcd7fc99f85132fc4c905a696053d11ef91909d1a9f3a73559a28cd0627ee70f472d5971a6d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\Qt5NetworkKso.dll
                              Filesize

                              1.1MB

                              MD5

                              f31bf7d0dbfac9b5f0b772456ff06ecc

                              SHA1

                              7f3ebcd4c69a1a9832450e9338021d41465a117f

                              SHA256

                              6be2d9a21d92aa94e7c8505f72cbeaffd08e8e118bb20ca47bcded4366525ac8

                              SHA512

                              31ba5097eb3664c79e7ab982e54a9014b3fa79fe13eee5503fcbc99c007e7b505b22b1db67818c7b9fc7cbe356e4b477c1e1856c30ea546d21d41fcf0ded9cb7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\ksearchpanel\mui\pt_BR\ksearchpanel.qm
                              Filesize

                              334B

                              MD5

                              2b42be10ddde43a0b6c2e461beae293a

                              SHA1

                              53888c4798bc04fdfc5a266587b8dc1c4e0103f3

                              SHA256

                              984ebeef80f6f50907afb92e5b5ae72df49fce045552c118a77a8887cc98e19b

                              SHA512

                              be3ebd02d37de367200696351fb5f9cd0ec4c206c3a33f281cb8b62386457a30a899322798c63a0d495577393e47258994feb7f8e2445645f552c2b7a2de6778

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\kstartpage\mui\default\html\run.ini
                              Filesize

                              171B

                              MD5

                              b30cb271e143eace0f55ea2e562e1e9f

                              SHA1

                              9d97dbf24931cfc114384c3f4dbbae21c9e51be5

                              SHA256

                              3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

                              SHA512

                              dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\addons\qing\mui\default_xa\res\clouddiskhomepage\static\js\default\history.js
                              Filesize

                              198KB

                              MD5

                              d79cca3c379636510ddd6adc09a31d51

                              SHA1

                              6470c9569dcbd7b2ef0c75549799ef3c93fbf523

                              SHA256

                              632f2d1136280eaed004b7231ae90ed76bbd06c25f73d900873abc1c6ae71769

                              SHA512

                              1f066715066c6125e7556455f67eccdafcfb0a15642c25425c865c6def6ea3dae819018fa8d2abdcf9eca53de94c49f1310bd1c7883247f84a6043df03e1f80d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\cfgs\setup.cfg
                              Filesize

                              434B

                              MD5

                              6c24204c36a331b30eccb1005e21a045

                              SHA1

                              56bb9642a5cf586f9e4152daaaa1275be587015b

                              SHA256

                              537cbec4f9ad460713cbe55caaf847ca5c010f84fc43628ddd7bf57a4902a07c

                              SHA512

                              664a361febf744963099950cab56f7f7a61308203787c99c924a388aaec64aabd8f6a7c405a2c9c964ad3ac83aa21a531ed351b6fa5d51f1aa72022a6ba1c80a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\kshell.dll
                              Filesize

                              23.3MB

                              MD5

                              f815cbd1bb53158d5c0efb8b93f775c1

                              SHA1

                              e699c86d2e742f2178e76f6470f70bc45571b589

                              SHA256

                              741585755d3898635ad5cdf6daef8d035cc4ac8ab7096393a0a81c9bd5603900

                              SHA512

                              00ebd5ac585581d5dd4dd04d4a3d27237cd7f10c82d83e22e4efd725fcc6bbc2a622dd97cd3b2574c80712d5126ce4c47be76a85223ac5dfc1bc25e84be66244

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksolite.dll
                              Filesize

                              10.3MB

                              MD5

                              cdd0406872cb3437df2e37b612d683d6

                              SHA1

                              6baf1b48709cea3dd247565a2a48a56d48112132

                              SHA256

                              adc5066cc2743caf68231cd96d728c339cde74cf173dd3ea3c9817880f49892b

                              SHA512

                              770a50c56e7d514c392730e7166bc875cc1e0dfe3e570888b3bbe4708f4af7f1dbe651128cc590aef2eb52cf3abbebe6be54ec39a4db5f874a27a147ee541af1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\ksomisc.exe
                              Filesize

                              3.2MB

                              MD5

                              3e847ef339f4e4fe66c7fc4d1ab17616

                              SHA1

                              97d9e7e2ae261d97693ef3f823cb5be4d871c58a

                              SHA256

                              b18dcd36be3a14602e002887d0ffa4f71bb2205edaa4d6309edd955cb789a008

                              SHA512

                              9ced85cc661fdfe611a8b261760a44697c4cad46e7622fd6e8ebbd1ee74c28c76366adf8eca4a2800398044bbd285686c9049b0a90cf82fc722b25fc2c9fe21c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\mui\ja_JP\resource\splash\hdpi\2x\ent_background_2019_wpsoffice.png
                              Filesize

                              236KB

                              MD5

                              c5ad1903526a9ca4c2f55cfea1e22778

                              SHA1

                              9c7b9ba9100a919cad272fb85ff95c4cde45de9f

                              SHA256

                              5e7ba996d2331f37b9799767c0fa806cab9a39fea434796ab08dcaf39096e334

                              SHA512

                              e482142e81fbe71666b40f7a2c53702b4278436a0240e0f56200443cf4235d9942cccc3545cc01486d53a0972be553cbf93442e8b05de7b4fcd1fe8a4ec16bb4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\qt\plugins\platforms\qdirect2d.dll
                              Filesize

                              1.4MB

                              MD5

                              8b5a5abb3b262e789c4f8f7d9d25ff8c

                              SHA1

                              96b498e8fd235bc36e8e232376c51449b462a060

                              SHA256

                              cb0c8a75f596b18d33387d0290de6fc67a48e3688ab66cb159d2490884b1a8bd

                              SHA512

                              9c70928ea6e743025f0b4fef9dd63589f29d49bd30bb2099bf065f07bdf98b62ad1af64ca461180b2b726388a4b8f03c0a916364f2a2791f23b3084a8f8247bb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\office6\wpscloudsvr.exe
                              Filesize

                              914KB

                              MD5

                              02f351fb717db99f937a3ea2f8bdc832

                              SHA1

                              a38ade8f14b993c67c219a18b83efbc269bbcdd4

                              SHA256

                              485dc6b53f144e4aa63eba4470a8c1fcd3e1ca93bf22bec9a35b4e66a8f3c6f4

                              SHA512

                              7726607d040919b5a932fd0757c261d614952a0cde7b8f83206a0a58b5b922ff8402bd9d549a67836e5a87e7198ee5928c056cf184d409cf0b34f78702a57ad1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\utility\install.ini
                              Filesize

                              499B

                              MD5

                              183330feb3b9701fec096dcbfd8e67e4

                              SHA1

                              2f43379fefa868319a2baae7998cc62dc2fc201d

                              SHA256

                              ac4f26a184114522200169c5f57a0af4498a20d19b7ec6def14dd2c6413eb475

                              SHA512

                              643cc197456f15da6ddd6eb904f2b25ad4236a24310d575958c0c8e457a33167e748d21184162502a295fa466c031a837511d4d5348fd67499ede1b60065c471

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.2.0.20326\utility\install.ini
                              Filesize

                              675B

                              MD5

                              e4a841ee4ef657b2ae2fdf09f6f88421

                              SHA1

                              7f2eb17f84e73febe549241f616b95da3a43978f

                              SHA256

                              a3abfebfe981544cce529398c0f1fbd7fef2adb6fc9bb775affa2e5d8e0dc341

                              SHA512

                              d0067de71e568f5447fb322eb14fa181941cec2ef71ff030f8d1eadad4f66d4c1e9fef7f36f4a2396d0db1a3a66a88b82c31a6f9b1ed2f52015c693129741053

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk
                              Filesize

                              2KB

                              MD5

                              dcdf8e84becfbe027a45618f15c82159

                              SHA1

                              9805f2c204cd7b3531fbf4d2f54ed0f80dc36b19

                              SHA256

                              1877e5a6bd2c004087831685a7b208e3c7f5720e9cb513049fc331e7558fc00b

                              SHA512

                              3b3cc897d9c3cf83984b4a187444538df00565956771c8f3627fb50aa23eff6a69045d6c9e89e61bbf7896d2b984ec70ff02c8c3ca6046dfc9185a9a9953e561

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\Qt5CoreKso.dll
                              Filesize

                              5.1MB

                              MD5

                              71b4e7ca85a286039c5ffd8d051d0389

                              SHA1

                              8a95e0099b7e0d06d775e6c9cee15ec203dd35a4

                              SHA256

                              f164a74d5bbac341f6468002836338a77570830832f16160925bb09b916a4098

                              SHA512

                              f056aa1969f18f0438516261addf6250e18cb9955cbffc4d98dc63a61c033a9fe388089d15e735d6eadea6024b7ee9f2e1ba3c93ac251995a9bde56b8f18ed90

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\Qt5GuiKso.dll
                              Filesize

                              5.3MB

                              MD5

                              5aae2422f4e1e26f31afa4235fa0335e

                              SHA1

                              8e3427c16581d50b9185a5cfbf25b04d5deca6e0

                              SHA256

                              97595c2ec54d3fdfaed460630a3b40212c51c5b8b0621f2716a1e4165c7b5013

                              SHA512

                              d22fa19def1c537b20a4f246d6a6609767eff482eba11793a1525d750f9ecae2dbee8063b3638739ac628f8f87eedb8535a7203368185c9bbaf376f4cebd4477

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\Qt5SvgKso.dll
                              Filesize

                              392KB

                              MD5

                              88a46a74d1c54b6e24343952ea84b2e4

                              SHA1

                              2c55e886513fba0ee8c00f4e5696037183406841

                              SHA256

                              042852572e6481b29bb20aac3f912172bad2df7fb62f9adf18c2bb375397c66b

                              SHA512

                              44543b127d27a63e7529fd9a70983ffb492e70857ee6acff30cc4f8489d06c7e502778cd729750198a3c12e0aa4273bb1a377132b86059561a81ed3019170f3e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\Qt5WidgetsKso.dll
                              Filesize

                              4.5MB

                              MD5

                              5c8512fc5fa68f0d9250e885e075fb9c

                              SHA1

                              ede941a739e8d939b88ff4d7c51e8dfbf6dc9ab1

                              SHA256

                              32d14be19271a5fbd1ad8b9c15ded3a5ea0f83328501dd46bc617a0e0dc53d45

                              SHA512

                              bbe3f5065056c32732abb9f477f4f15e748d13f402ac9925e42af139d451074480f1d094fe3a5ef2c11de856fcbc49a35624b1d56458fe5ae6615695f3b82554

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\Qt5WinExtrasKso.dll
                              Filesize

                              217KB

                              MD5

                              38d7ba1486407c7881d4f5f7559f6bc0

                              SHA1

                              bec1abe46eaa69bfb5c9f45cf3666209f486139f

                              SHA256

                              de114548ded37cd2ec3f36ca10ca526b6e8ac697256d6de0ccd0386f9056e6e4

                              SHA512

                              41503f18588bbb584a9378df5b4c69facc2e7392fb39b371320c7887fba4f3ad72f7a1970bd9ba36057a83fca6cc2a91698ff5001523529417de262049d38e3c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\dbghelp.dll
                              Filesize

                              1.2MB

                              MD5

                              56d017aef6a7c74cd136f2390b8ea6d3

                              SHA1

                              46cc837c64abe4e757e66a24ece56e3f975e9ef6

                              SHA256

                              900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

                              SHA512

                              7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\kpacketui.dll
                              Filesize

                              2.9MB

                              MD5

                              ccfb65811e667bd7cd24330698eee4ff

                              SHA1

                              7bdb45a1cd5517816ef1dc74f118f0b66b2dec21

                              SHA256

                              693a27dc378fcab57e604b88de86242deb2f8873651b526360b0bae25d085d05

                              SHA512

                              8167fe60806f324da8564d0187f6b49f35cabedbae83384d2d3730e6045159cc58028fedbf4a2ebf020cf5aeb8249ea648e6e5bb3edf25ed1ddbdb5fa189042b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\msvcp140.dll
                              Filesize

                              427KB

                              MD5

                              db1e9807b717b91ac6df6262141bd99f

                              SHA1

                              f55b0a6b2142c210bbfeebf1bac78134acc383b2

                              SHA256

                              5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

                              SHA512

                              f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
                              Filesize

                              61KB

                              MD5

                              304808600a9acaeee45b9fad21fdd3ec

                              SHA1

                              4280554486ed18c973ce9bd42c465aedb0c1f88f

                              SHA256

                              682627fbff84bfb713ddb66c1b7a0f0f8ad5b0c9cb70bb6a15196063a074af25

                              SHA512

                              e6ef540032f389feff24bdef1b8798fe43568809346de5058172e95d7d1e8da5410fe6f3a754181a5990303300a7ef77fe6db3e07e4490c6793ae84afb58ca27

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
                              Filesize

                              41KB

                              MD5

                              74e38c4452a33394dc8cbd0feaca28a4

                              SHA1

                              19fbecf437339c2bb9d3ba85347d65719aad7efa

                              SHA256

                              8164c94194e27865e0321b049eb8d7f1110ef6f75205ba0bf93ba6abc2955391

                              SHA512

                              0a88b77aec9854285cee96038e18c216f878c04711e5b84e0da23f748dc8c267d99765121f3a7fe16cc865e462958e6e82bf7814cc2f65173a3822b8ad4e5653

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\qt\plugins\platforms\qwindows.dll
                              Filesize

                              1.3MB

                              MD5

                              46258dfdb49b107d36f98848c76c5458

                              SHA1

                              2411ffa67f2a0071c50d65eae9647a5e85a3d001

                              SHA256

                              7704cf5e018397af594f7e23becc1f6d7d97a7b864396e8b6eeef7598267f34f

                              SHA512

                              c8cf3775230d01f54f866baf3b91430af1cf85275499af29b1cc9b200e211831343a6e665dbf6b0fa7172b3dc05d79f049b13001a7bf70da5c8665862a281ee7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
                              Filesize

                              71KB

                              MD5

                              2b14303439bb7fbff1223c7892a2978c

                              SHA1

                              5c95e9b614b8448956ca39d5ec5438f392ed8125

                              SHA256

                              11a12e72350068331d22c8967412768135fa29a8c70741aaf7f0cee9bf0b649e

                              SHA512

                              18a2e90ed3ef55f13f33ee7f614aee40a57b9e7a7dc531009f83b4d5de204b3cb8f2693c3afb1d16e29725360be2b5afa70ffa99936e9df6bba0c73ba20ef39a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
                              Filesize

                              145KB

                              MD5

                              0f5c8b1c2ddb3ed8269b3af87ce137b1

                              SHA1

                              7275ab3dbff0e61f2e5a0d30d7e71c444632d540

                              SHA256

                              af6b9c0f7d81d90677b504ee5dd78a8b656d09e566e5264dcb6ea45965ac7aaf

                              SHA512

                              1d62ce171bd0f57ef2d5a98939a9697a343b3c4806d6eaa4184021ed852aac0758d2ffaaf5d73777fcb95e18f6dc55b42e7c68111f37f06f6352818b7dccf29d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\ucrtbase.dll
                              Filesize

                              1.1MB

                              MD5

                              2040cdcd779bbebad36d36035c675d99

                              SHA1

                              918bc19f55e656f6d6b1e4713604483eb997ea15

                              SHA256

                              2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

                              SHA512

                              83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\office6\vcruntime140.dll
                              Filesize

                              75KB

                              MD5

                              8fdb26199d64ae926509f5606460f573

                              SHA1

                              7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

                              SHA256

                              f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

                              SHA512

                              f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\pl_PL\style.xml
                              Filesize

                              3KB

                              MD5

                              034f37e6536c1430d55f64168b7e9f05

                              SHA1

                              dd08c0ef0d086dfbe59797990a74dab14fc850e2

                              SHA256

                              183a140011774d955e9de189e7a1d53cb4128d6abed61c7bfd5994268ee5f384

                              SHA512

                              0e1911c882152a4e1059a3ce1880d7fb2aed1e1e36cbd37055de2e2a1333acb2a0233ba2a4d969ccebbef1e77809aa5e78807aa9239545beae8c548c0f8f35c0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\wps\~e57d08e\CONTROL\product.dat
                              Filesize

                              136KB

                              MD5

                              3765f1b1b58b1b3663e6ede39991db43

                              SHA1

                              1854e9b89074317a23389daa09df9366b17e5c7c

                              SHA256

                              a2eec34052179a9f891e5ca949c73e83564be2907d0a4ae999d5a7495e3d1e44

                              SHA512

                              0e6a7841214c703efa52292fc68f66e3b69068d9a6431ae1e55385ab6b0e7d92a6cd2fd4f8ceebd2c1c94e4519296a9ed24ed00534e1282337c813c4918b6a61

                              Download Submit

                            • C:\Users\Admin\AppData\Local\tempinstall.ini
                              Filesize

                              387B

                              MD5

                              c38481658f9149eba0b9b8fcbcb16708

                              SHA1

                              f16a40af74c0a04a331f7833251e3958d033d4da

                              SHA256

                              d0d73f49bc21b62fe05c47024d69406a3227da0f6b4ffe237726e6a031f188d2

                              SHA512

                              8f98d62f88442b8ef94aa10074e35aa8d9494f3c76ce8b143ca0bf7fa0d917f3175212fbcd6e7b0597fd0ec0e1b2827f157135512fb01c88218d36e2f7dd73ce

                              Download Submit

                            • C:\Users\Admin\AppData\Local\tempinstall.ini
                              Filesize

                              433B

                              MD5

                              a9519168ca6299588edf9bd39c10828a

                              SHA1

                              9f0635e39d50d15af39f5e2c52ad240a428b5636

                              SHA256

                              9e87b2ff306efedf7bf1074749b4602c332bc825aed80721eba19d5f544d2ec3

                              SHA512

                              0607eb1f5598320961fbd8ef75beeb1b6dc1af3cae7eeb5ba352f3e2a2edb25e1d9e68fb46c24e4299957352c0c906314c889c2d1092437eccc1d1a0485f3557

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMZWEZ6TMOGF1XZIN2CM.temp
                              Filesize

                              8KB

                              MD5

                              99e4ae92e31b4dd184df46255832085e

                              SHA1

                              bf9c0c700c92d96faf4336819e0c218959c8ee9e

                              SHA256

                              595094ee91c98183925af98260c9cd99332cff7a26e4b11683692b3445ec9fb7

                              SHA512

                              bd143c0965331af41bec45695d025d2a2a239b99795449c1929bfc479df19538c1da609f0be91f644e4ea9184e4e1f4bce4c6b66f4610bf7b121adbe2604c1a4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\cfg\onlineconfig.data
                              Filesize

                              108KB

                              MD5

                              ae989d65efec0f4e2d2fd97f30c96e3c

                              SHA1

                              b58905416fc97b05ba15f067f8df9fd927e30a8b

                              SHA256

                              634e4b8cb15d6a13c9c4fe0e61d5c988d6485a630cc886f8a7e81ebe7d4cc00f

                              SHA512

                              311caacac35446016b47aac3fbe0111af523c1c5281fe9e4d2ca32876afab02fa4636a3c96944956c9202213d80b44593d43044c7e9d22a44fa2bce4eb225e66

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2
                              Filesize

                              224B

                              MD5

                              3026ac3dbba22179aa89ccd63f47eb4d

                              SHA1

                              8a63faa03f5ef6e632d85bd930e61a8c07c2e8a9

                              SHA256

                              bc95ee0cdf0633602757305cdfe019d123c2fe6b556c8dc36a3af87bf3dca0a9

                              SHA512

                              9645aea81b80eb1b718ec4f6cc0dacca791be98c89f6f54a53987d8b96e41f699f3a068f405faf19b59146e548a94e895ff32d0e3ff4558e4ba7e172311317f7

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\configs\configure2
                              Filesize

                              224B

                              MD5

                              d54fd82ddb8c1606545449b12b180f70

                              SHA1

                              1e9006a3a9efcea468e89fabb8978541817f8e95

                              SHA256

                              8630eb71dbcee6080b9ce54e91b29e8d4663f087b04772b8ca1038544125dfac

                              SHA512

                              9c3dec997c8b4a24369f1b91c170c9e55f018c98d865eb33df36aebd7d3154772b212ca130b6bd795907efb4d47a450440c161da3674b2e0b5d1cadc32f537a5

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2025_03_28.log
                              Filesize

                              5KB

                              MD5

                              edda1780acc9cc0d5e86a941de880b75

                              SHA1

                              e2ec1c4a5e448d3d72e468e0428e8a34460c5b76

                              SHA256

                              41362ceea55e23ee204ac184232d5688f86ea426effa851e872b56bf80ee1fc2

                              SHA512

                              0304835b57e0276fb6863b11ad513e05f222548119d9d0a97b2d8458422708d7856ddea18e312fbd78279627f11270cb5ba5494b9b984e9046a41fbdaa04aa3c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              49KB

                              MD5

                              ae0b33eb4df51c983bcee62be8491efa

                              SHA1

                              66adb600df15444c594c75d7c2750f604cb7ec98

                              SHA256

                              8af3ef475081a8e556fc719a4c01dc3d1274fa7298329a72d25a897dc3959cf4

                              SHA512

                              bc823a3f1e84ca697b668b3dad8845b027fd5f3456fa0a05152c637e28338132c7044934688676c903ecc0a57d461357f85f366e91df64f5d8d48f7f4f5fc925

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              49KB

                              MD5

                              153cde8e968334f90d9ad6bf20aa05c7

                              SHA1

                              a98e327cf717f27966f17ca9930891f9e9b10914

                              SHA256

                              0a35194689f76d646b1fe5e4c2a5a2ae480d770b7c8e49c0ec810a850adffdfa

                              SHA512

                              9b85bd2b056f870c51d20f433c96c0430072ee502189094d4c33fd9c42af9b69d5e1e706446d19ec132631b7af23d8efb8c7b617f0b439e374178f3b6ade5579

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              10KB

                              MD5

                              b6ba8f337e79b4f7a2cec71bfc444300

                              SHA1

                              864dc07511c50e5ca841763f334383066e40d210

                              SHA256

                              1b0bbfe5b4051bbde3af946a00d70f77bd2b5296aae33d687f490b5f301577a4

                              SHA512

                              4a134c23008e25705881a870f75169d6f310aad3e242beeb33e6c2a1250b0cd79b99d2feaf06be878d57c52243ea1afed826e7282ace27039d1f01fd3ebd9c19

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              11KB

                              MD5

                              94e0b6f63250f65dff2ee782e017755f

                              SHA1

                              204c845d78004d4a1ceaa3a0b72d61ad8d8e2d6a

                              SHA256

                              5ca4256dcdfb81fed3d8cc0c3fbef32fb265f46b4861eee084c81a0d07ec5d1f

                              SHA512

                              b93768084ef2078f6c4571707fbb9842322e777bc14e3195e1b1eb020e94b44bc12f899a05e5c01780e0344856376a60028d3411232e63c1dce6df50b4d2ac1b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              25KB

                              MD5

                              63614358e6a5df3e83c453f64cf72b34

                              SHA1

                              2a333eef3a85cd05f08812d9a548aad802cc9353

                              SHA256

                              85e44570a10e36b32166cd43074afa6a14da35293378b7484a79dd77a9b81826

                              SHA512

                              38be496ae2df7acafd0f43e20bf513bc28b10cb7a586eb3b1e6068fc3015d2ae59139d0b6cfc6ce2952a256a19e5ab279d729a79f1e9888dfe3207bfddcf3d79

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
                              Filesize

                              41KB

                              MD5

                              4f9a5b7164c2f5b1b404b60466d39685

                              SHA1

                              fa0398fba6605bfdfea14eeba2d2c6c612cdd8f6

                              SHA256

                              2023884218c415322ddb1b6eb031349d48355b4d0625a88f7f4086ff80d8f2ff

                              SHA512

                              d712620deeb4b4702fe38f7aa0dc70109da14a2e664ad70f3b8e84ecf3ab43b90ece304ae38d2332868e54abf5abb1baf9a87e8552a8f4236e8415a8773e87bb

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\startpage\documents\WPS PDF Quick Start Guide.pdf
                              Filesize

                              1.8MB

                              MD5

                              c9d26278011584282ce019ac3b2d8f90

                              SHA1

                              e6ce56f950ca002ac83d5106cf65ab0c2a1dd547

                              SHA256

                              d505e9c1d7c656dd5154744dd49f2ca0961a339b918b6cd9dc0ba2d4c3abaf5d

                              SHA512

                              5497d1ce107cb2936e356a03f556e1b999f9781c46efc7f73bb8b06e02b24c15633894db408c83c5d27187b8038bb42d254ac4071106035be3dfe8b27d9fb6d6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\startpage\documents\WPS Sheets Quick Start Guide.xlsx
                              Filesize

                              1.5MB

                              MD5

                              72ef0cab0914dd657dfcbe87ddcf3cfe

                              SHA1

                              8db133b42679f44977ee5fc23e2350cc7cc73030

                              SHA256

                              6f3c2c1d90a7f8cc36699d57c594dae2b9c9c1395153532d1705b18c4f572c60

                              SHA512

                              089440fada09f5951e72394d18a5a3d453ad7c91175f51996c7873b95c39fd3ad643ed74ad2ea0693a210ddfa2bcc021738d269a387f91ea2d9a5e96f79f6571

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\office6\startpage\documents\WPS Slides Quick Start Guide.pptx
                              Filesize

                              817KB

                              MD5

                              79a58639847101235f88137010909eb3

                              SHA1

                              f1db11a7d964159ce87c3d301efa37f6e21aa304

                              SHA256

                              6353fc0db85d8809daa62ce309ff834150e2549589692738f92f1b0ca542374b

                              SHA512

                              b7caafc711d6d1d916a96353fe1b4d4863129033cae32337fd5fa6ae01ff7347daabf6cd08c18fae0a99e8c7075faeba5db5bc05a557ef0c43fbdc97c186a9a6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\cache\Code Cache\js\index-dir\the-real-index
                              Filesize

                              48B

                              MD5

                              e56f249320755d82c3aaecf730442750

                              SHA1

                              3da7268af61711abb96ece66d915d93980ceffcc

                              SHA256

                              93fc824dbc551406150a29cdf7bb36269419c8646df26661db46513aef4d90c9

                              SHA512

                              a234fead4ea40305c720f20fdf5b2ab4cc328dcd0899abcffbc1a0d621ac8b5491ca7443526d72d148e8f32bad30a1a7fbdf72f46d7c2e77ae92d196fc31e24f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\cache\Code Cache\js\index-dir\the-real-index
                              Filesize

                              96B

                              MD5

                              cd38ebf525fdff779d8429971fcb24d7

                              SHA1

                              51589d4708c34c4cb3b63c9f2b1dcf97fc6e9da4

                              SHA256

                              c108e5e85ec416a85444fdbc6bc8fd57e3c470581b03a1da3e36381ed1fd4e23

                              SHA512

                              b0a866e67cfc8790f01cffa251efb7a2872a2cf83201aa54b8b5a9e1f04f1a0b5e0e618d59b233cbaef723513e90593c0aee82bca748c690988cb3fe046173b9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\cache\Network\TransportSecurity
                              Filesize

                              704B

                              MD5

                              d2212b813c466b5ecae4bb6c668d8882

                              SHA1

                              e55e2c7ad6817b1d3699128dc2ba91dec2b14539

                              SHA256

                              e3671d036fa22e5640801753b248ff780d0511244b4773134bcd8f35f456fabd

                              SHA512

                              f593998e2eac73513731e75d74be5426f452b72fbad5b5593484651b649c4d752ae4879e309b67df7117716f150ce0041b330496d1a93fc15113dec58bbc232e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\cache\Network\TransportSecurity~RFe58e124.TMP
                              Filesize

                              370B

                              MD5

                              bced9e1d344e32d4b8577e2b6a54a352

                              SHA1

                              be2091c9b9b623d79f0135ccadb7349906835b6e

                              SHA256

                              0b6801c1e93960041bfa5ccadfa59a1a1faf870281ef39bb75a0f69247a1568f

                              SHA512

                              a387d6990ce9dda4ad578ebff702432bb4e17f0f8164297cb589fc8feabf1a3bbbcb3a3e93a4b29e81dedd632bca27e6e9a349546177a95bdfb0da1f3d07796e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\cache\Session Storage\MANIFEST-000001
                              Filesize

                              41B

                              MD5

                              5af87dfd673ba2115e2fcf5cfdb727ab

                              SHA1

                              d5b5bbf396dc291274584ef71f444f420b6056f1

                              SHA256

                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                              SHA512

                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\cef_high\1\kwebstartup_commercialize\Local Storage\leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat
                              Filesize

                              64KB

                              MD5

                              2a78cadeffad75fc10293910dbad91f6

                              SHA1

                              4a6ab719788aaa25e978912739921e1518cc45fe

                              SHA256

                              a1e127e1bd09c0370843f4552674684c14fd8735e6edafe098ff67c4dc360e60

                              SHA512

                              7e8fddb392976cb989204cc24ec6bd036743693864d084bef8e9d3510d367770250238af21532cd56499c31b1eb0601b49dd97af5b0e331b9b8e22728625c017

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\list\win-i386\12.2.0.20326\plgpack.plgx
                              Filesize

                              8KB

                              MD5

                              8234f60e0d18218842024afdc7457617

                              SHA1

                              0c68389360b77ce377e8055b39c2e61a989b054d

                              SHA256

                              41bf21e3b2931f53541beded0a88bf732b6902131434cdb9397a3ccddf94d955

                              SHA512

                              6b9425403ae6c552cfb828bbd7d7c516688353032307aa1879cb800c434411e6c7c6faa9585dff15228c36f5b121551f74e49c932c328b582e37ab319cc78709

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.93\chromelauncher.exe
                              Filesize

                              111KB

                              MD5

                              416319f41502a87076aa0369da03a8a2

                              SHA1

                              433982cef3594f74a531b884fa231fda5624e670

                              SHA256

                              48d18dda6d435e202b1d9f4264ab60759e0049f32bafa9a4ed65991d2a0e19f2

                              SHA512

                              e685810d3fc9aad11e58fde29d022343d59a4368b766cc36cbc28ffddc6d350548e79eff4fe78f47f05c71f74e3d7128160511c4bc0fd84b915a7a1b342c3f16

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.93\download.7z
                              Filesize

                              2.2MB

                              MD5

                              34b00e2613827b414f52131a9d64ec0a

                              SHA1

                              981342b0b3a1f3c70546de6394f033d0ea89ab9f

                              SHA256

                              4f7c2da2b435ebb48d44cd0637df2fc9100808d595e593ed671734a2db0a035c

                              SHA512

                              2dcf5ceb166644351cc932669042fee5c5d7e7c550b4a316ef7e8f1a3fda1bc70af1440910e7e2fb25a10bad7efb733b9dee464b0f1a4ad08efba3994c487f73

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\chromehost_1.0.2024.93\run.ini
                              Filesize

                              443B

                              MD5

                              4e1aecfb8f941521e3a16cbbcf1e3418

                              SHA1

                              d61831a61049424ce80f5076e91be965d764e32e

                              SHA256

                              bbc30b97c2d501333061f4f77439a2da8e8454b8cf5602467af260c9bebb6b18

                              SHA512

                              ee74b3eba02b80ca9032d1c1afc5b436031e57ac4a7a52924185b2c8eabae81f3309a089fb9f23864b43363d9d3587a7338da2c4e1c33991d5648ec361c9a9ef

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.202\download.7z
                              Filesize

                              326KB

                              MD5

                              7c4ee39cdee113b4b08aa821efc85aa8

                              SHA1

                              da8348d9a020cc8074253fadfcc0c270aa36e8f5

                              SHA256

                              a8ca5711d8f131984844c56f07051590f746ad555f9cd88716d99bd3fdcc669e

                              SHA512

                              318a56c5e55778ba255a73e281e50650ed4b7206b90ef41113f8fb4a3d4208981a3d1f5a45ba9c4b36677d2fbbe11e15f1cab6294e58b4fc4526d3e904788fc4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.202\mui\es_MX\kdiagnostictool.qm
                              Filesize

                              3KB

                              MD5

                              5afc7d8ba894df59c2b3f44726cfc2db

                              SHA1

                              a21a7a8fd943455fa47cc5d950603bf1bc5a145a

                              SHA256

                              4824e414e29358d0011ad1195059bda195a90cedfbd4c0f07f8cdeb0e84dc2be

                              SHA512

                              a9a040e0f3555f61094b42202581a262d29377d414dc6a87596a2bbe4daea8fa3bf2eb10ac52fa6d94a522d54f404e247ee7b272cb41acda898ed6734c8ed639

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdiagnostictool_1.1.2022.202\mui\fr_FR\kdiagnostictool.qm
                              Filesize

                              3KB

                              MD5

                              62f3720e184f094c874fe0eab7f0f598

                              SHA1

                              cdd858a80bbd1268e7c5278ebe19c35659871d2b

                              SHA256

                              bdf3b27cc070b3cd9deb9a5e2bea450382d6851723c266eb0d5f3db4798f5a14

                              SHA512

                              14f532053b0272fe0c614de9b56bfd9ac85aee11e878e099531250b00f667d2428789e81b5ded64cbe51dc8e3e8e19d7cea8dc08314b1c0274de15fca17b92b6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.220\download.7z
                              Filesize

                              144KB

                              MD5

                              abb3f45352fb78ebb161d62d1de9f159

                              SHA1

                              c932265633b631bf2e6a7e5a761e8a4915b1a304

                              SHA256

                              15b3be5436e1beb30a4e3a4916dd05e86135daad3a9bc95b3206812999ab3d2c

                              SHA512

                              61cda8cca18c788c0d8c45798c3fff0cd906fd9901f810f0e4f812c041625913037b1d37fda6e8fbc8f8cc23295aa48969596af53565caf42b15857a9a03c902

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kdocreminder_1.1.2021.220\run.ini
                              Filesize

                              292B

                              MD5

                              da4b75c3d70c08be415e7b25abdc11cf

                              SHA1

                              c84dfbb528a3c8ce94d068dfc5fbdf7d621d0225

                              SHA256

                              e93c62beee030970bf56bf0a3aa372ab0b155c1c3436173617c8c735024e8f36

                              SHA512

                              0fa811055deed42a6cbc0f16f93da173718f4169ebf8d4ea125276c6225ba033c7644a68ee010250379b67a057e17e5cba6351deca067850ab318c505f49e491

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\knewstylewebwidget_1.0.2024.78\download.7z
                              Filesize

                              32KB

                              MD5

                              799f7fe810b93f30ec8fbc4b520d0e49

                              SHA1

                              5fbb1d4addf7cf0f469fe742a91a165258ee63f2

                              SHA256

                              e10a87579d8a2a5b937a4a7f56ccb6a26a441ccd243a0d621a784d4462cadcda

                              SHA512

                              e86d1dd1b5c317c49983f00b8da5cb13fe3e9fbea911316adb6cb83a5ec929721794783f9d8fdcc2f08a097fdc2c11c3f6e52c66e2a39e2e7a9130daa0a08be2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.51\download.7z
                              Filesize

                              2.7MB

                              MD5

                              adec128c10d7b21456ec0f54c7fa526b

                              SHA1

                              df0455c96fe5334c7011c43603706a3d5f7a27d0

                              SHA256

                              0f4a44c5852c7a871fbf6d52f3ced2d633ab0e04d0db83cd0719218f69f4bd1f

                              SHA512

                              3ae3607edc919cf0381187d5486771710ead06d84d3375e234d9ae3f07ce0345cc0112a94c5de204b3e36facdccf44561d07b1ea4b6560e58ebb4e393724e612

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.51\resource\premiumcode\element-icons.ttf
                              Filesize

                              54KB

                              MD5

                              732389ded34cb9c52dd88271f1345af9

                              SHA1

                              8058fc55ef8432832d0b3033680c73702562de0f

                              SHA256

                              a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2

                              SHA512

                              e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.51\resource\premiumcode\element-icons.woff
                              Filesize

                              27KB

                              MD5

                              535877f50039c0cb49a6196a5b7517cd

                              SHA1

                              0000c4e27d38f9f8bbe4e58b5ce2477e589507a7

                              SHA256

                              ab40a58972be2ceab32e7e35dab3131b959aae63835d7bda1a79ae51f9a73c17

                              SHA512

                              da269b20f13fb5b0bb4628b75ec29e69bb2d36999e94b61a846cb58db679287a13d0aa38cdf64b2893558d183c4cc5df8da770e5a5b2a3288622cd4bd0e1c87b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kqingaccountsdk_1.1.2024.51\resource\vippayment\main\img\loading.svg
                              Filesize

                              1KB

                              MD5

                              544223e85768fd134633a1af9d5bf536

                              SHA1

                              5536a0023ddbfb2ab67e9ad8ca4d38c60f413b9a

                              SHA256

                              a3df9710c7e09fd8cffc14bfe45f5a1576deb1846ced44e5050b34caf5527049

                              SHA512

                              a5cacba054d41af8efd607074c02f36ab731b5d6bc9ffd3bd7ce6b09a4af09b31e29359eb965728d2a00849467b1af66e16186a0c07b4415b3b423a5ea4f68ca

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\krpt_1.0.0.116\download.7z
                              Filesize

                              1KB

                              MD5

                              e70c324fa11c0ec0c62d734672810381

                              SHA1

                              ab19c58917a059a3efbcb4b72e4dcd943a665212

                              SHA256

                              7af6c5ceb290ff91fdd9d2d756dd728b61925da67465e102c530e76ef8dc6ad3

                              SHA512

                              810f5ac81a0be2390402d994da56ea2ae1ee0cd2c46f892bad4a082601b31d75d328b5941fd4a9574d49d4bde7f58a8bca9171fc0928a772d39976e4b81c9a38

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreengrabapp_1.0.2020.277\download.7z
                              Filesize

                              22KB

                              MD5

                              6f316d600e4c69f6c1e80406eadcf296

                              SHA1

                              cd63373c843749eafc4778731d53db786e7c58b7

                              SHA256

                              cfa29b7fb7f2a27cdc81f6048b14cfc16c5d10bd312584deffa485bc9102d100

                              SHA512

                              f5963b7fdd099411366fbed20ad6070f7bc1ff574bdf4f1f28f9e0c6d4826e3231e2651c387286b8bbe2d5289829ee7ff0815ec8931528728f69d3d3fd0cb2c2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartguide_1.1.2025.6\download.7z
                              Filesize

                              4.9MB

                              MD5

                              f2fa4154ae36239ceb6a02e822e2aba8

                              SHA1

                              b5e7e38dc304dc7f4ef72b5604cbd331e19e32e9

                              SHA256

                              915d4c13e8ec8b811541b9a2929e5cf2b003910e31388906d142bf6109543926

                              SHA512

                              afee8e8f7031628f60c1fa32c5ae8938f322e199146f000c2c99e287d060d70275e8b501fe4e6ca76e95cfe26536f91cf717d94683ab0c237b8a6694f59de995

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kstartguide_1.1.2025.6\mui\default\WPS Docs Quick Start Guide.docx
                              Filesize

                              1.3MB

                              MD5

                              76889feb35682ae87fa8c7d348c73d45

                              SHA1

                              d0be5bef285eb4766c63113ddd9137fc9a10355d

                              SHA256

                              8e9054b01459a422b4ba0ac2436cb0c878cf584dab83e911f128a6231389ace1

                              SHA512

                              25127cb55d3f966b82748f303eafc42ecfb209526219a09f2fda5d1784d2ffe8e6911895ebae7d9f4d73a6166349e27e02163b83acd09b95121638f57d462c60

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwebstartup_commercialize_1.0.2024.6\download.7z
                              Filesize

                              19KB

                              MD5

                              f77d45f841faa297beecb94c0b64479b

                              SHA1

                              52ff585e16c2307f3559d41be351a4e67522ae25

                              SHA256

                              5440ecb3d0a924c412e502c739db9e78bcdab38867d6f2340b493b79ef67c6ae

                              SHA512

                              8048a6cf450c7ccdbbb0822ecb07796c27c604a511963b30722ae75be09e81bd6000f2def895da9364e3933b3c116b0a4b3339504a0a47cbef71a49d4e526dac

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwebstartup_commercialize_1.0.2024.6\run.ini
                              Filesize

                              303B

                              MD5

                              c646b8698a216d20e84200150b24eb0f

                              SHA1

                              d6c9929f7197d6d9a7406df5ea28f04d36fb0ed4

                              SHA256

                              9378a1ea8baddf207fa68aff55acf14f68e348c6dba6bc800e25da37b84a740f

                              SHA512

                              8c2e63b2bac753a285ee0181cb8fd3e27e21771fc3ce9a28f158b43dd1c377945fda17652bc742b30e573cfd45660db642e68db49680bb812d9df1eeb9b2656e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.95\download.7z
                              Filesize

                              71KB

                              MD5

                              9c4277122594cafd8c5bd4f77be68a9e

                              SHA1

                              0ae16aadfb14bce093194ceb6836ed25fc16e894

                              SHA256

                              9ae2eb0fcb51c30d35cb51fba635df367f39605402ef1f1799821c00f7f0b7d9

                              SHA512

                              a6c8b1983ac5dd287b4a9d8f7196159e7d13dc05a92c9a4c2b58f5f2e67e0225e1e49338cc7f5b09a4dc5f802ece9c2f46ddff603c34e97348893da08ddf27a0

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kwpsbubble_1.0.2024.95\run.ini
                              Filesize

                              311B

                              MD5

                              236e5baf01686e858f69fca4cabf90cf

                              SHA1

                              5247a8fe0e59ead62affd63a9f8e9c4f13f05def

                              SHA256

                              226e9b2204745d5b685d0d22a6a3eed8b7f2374d0aeee799f4320cb500235df3

                              SHA512

                              ad3b13639da06cd30ff18e3c4cf2b5a470d28fd63ab8ea84a50c10ff5b4cd0a7d8a6344c5e3a501a8f5da351a5164326b157a1bfa742c1a65ccf3972c3814854

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.81\download.7z
                              Filesize

                              5.7MB

                              MD5

                              e7a4f4990dbf88bcf35b185a8ec3dde7

                              SHA1

                              6497ac4d69a81d3809b6a11747c838abe1f8c31e

                              SHA256

                              28cb1eaeb4a26072da4e6e10396ca8d9ab8b0bb14b39739fcf988b4188cd192c

                              SHA512

                              5945fd8f498226a59a5d1f9edac74800800e4f32c2f1f65dfe345d13d75fe1d6fad9df044fb1c8a4947ad72561ee6d044e1cbfe241e7e647e997fe9bd158f3d4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspv_1.0.2024.81\pdfwspv.dll
                              Filesize

                              414KB

                              MD5

                              3a1ce0c85535b9a4693e19390580ae78

                              SHA1

                              5db80085d38036784b492c29bd0bea013f777a1b

                              SHA256

                              0490fb128550aafd00f0b589c2332c8f7853b4574aa4ce78f243df9741cdeb0d

                              SHA512

                              cfec30f56946cf16e8f4e3557f368d38bcbebe1a4fd3be0d67ea1e4d705b2a72fab1a50f8f241d91fdbc5fea66f0b0298e55ef90680196070853e566dd33b973

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.81\download.7z
                              Filesize

                              23KB

                              MD5

                              f013b7c4b11e39b695025a283cd2afa5

                              SHA1

                              e343f95fd5ab0c8834e654459ae0fa67152ce966

                              SHA256

                              c9a124f9a4cf55f3ce27714b0e31fcaa29d3c12d25cf60215dc49429dda2e00a

                              SHA512

                              0d6e41a2ff4777068c8fd0b7294a6fb4ec07061bf9e713eb517b1304015ed2e72f827145c3950c4f70420bd7c95e21df207187cc1b19d1d77ff6e4ec7148bd03

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.81\pdfwspvreg.dll
                              Filesize

                              55KB

                              MD5

                              4e8d83effdd04b9a8fea4853d84cee3c

                              SHA1

                              56950f40d0008c21cfa396dfb53d1a3e9a7c5d42

                              SHA256

                              9e00062b12454d9ffe208001b9eacf880d82ccf3cbf5b54cff469f913eff5555

                              SHA512

                              a6986fa6614f7a3b5baaa29f29dd87ca04cecdf510a1d662665e083d767b4501db26b964d0acba02465d6ad8a7eec3a64e76d239b245efbccf5de7bfb7221052

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\pdfwspvreg_1.0.2024.81\run.ini
                              Filesize

                              253B

                              MD5

                              0d914e316c8fc542e5685b1598899979

                              SHA1

                              52e575fc0c66b60cd79d29ae4486944cf06995b0

                              SHA256

                              484e6146403c96eaeead06a97a8ed86d67334a9185bf009a44f7b1cbe5402e2a

                              SHA512

                              77ca461895bc65f31dd8fc5182dbed383804b4d3315e210bf65195776510bf9c09c11d87589796ec1bd272f67762e5ba28be4d64b8a58f2577cb6da79dbd7319

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2025.15\download.7z
                              Filesize

                              7.9MB

                              MD5

                              e5d13348c12b057e3c859b14fd7188c0

                              SHA1

                              9fe15b7f600f4e563f4b526ca536088921b633ca

                              SHA256

                              7b24aeda7c904257f47dfb3f440ece9f1773d022e77bb3505e4eab1d654c6d52

                              SHA512

                              10610e252ad491c3f2b4b627cd9e3e2f54bbec7abb7ba8af7cc87e4c662e1cfd6e5c5fde98351d37f76c801fc58d6412c5d2bbb24f8f5f245bff49e3d12861a7

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\photo_1.1.2025.15\mui\html_loginmenu\static\js\manifest.js
                              Filesize

                              800B

                              MD5

                              8def9f056a8244b677dbd42be7bfc987

                              SHA1

                              460f4946c829d43aea3d731b2fc2babb81ed4b71

                              SHA256

                              77b87f2e8468b07df6dcb7c12fe7cedc619153bb8489b20e12fb5092136cc948

                              SHA512

                              2d00b432a7b8f2245f600dac1a90052e6baae8e89c5766015d65120917d94c8cfe3684f86c2f5a3af4af31d635c081fe714c2a1ec6873801edd0793ebb4eb918

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsbox_1.1.2020.293\download.7z
                              Filesize

                              590KB

                              MD5

                              7e182da5a92d673e1cfd11faab6d4ed9

                              SHA1

                              ce93e2659d82f4708c69c5c2ddbdafa9e206dd30

                              SHA256

                              2dda4de5a89dfb5753a1f1f7f537223d111cd44c7b44cdbebde33248aff7f1b1

                              SHA512

                              8963a9c6ddec81dbe62ab48e8993f1c94f2610d300804ded9a2a1cc6e8b4782e2aa10860d4754d692c5851dea5afbbd7ffc9836c28586070a67d7b28fcc63f5d

                              Download Submit

                            • C:\Windows\SysWOW64\perfhost.exe
                              Filesize

                              1.2MB

                              MD5

                              a02fa775e9dd53c40eede66da47ca6b0

                              SHA1

                              844c1febcd27a6bbf51a9a29a6a33700609496ba

                              SHA256

                              468f90e474a101a1e8abae3ba60fac4bf51a7cabc8c3eb8f7e5a985608939295

                              SHA512

                              48542fbc6059db454bda76ca16f5ca02958bab10edbf21050f947c033c0f15b26628b6395cd3f1ff4a76474511d7071bc931dbbb7e026a7bff4416ecce20d901

                              Download Submit

                            • C:\Windows\System32\AgentService.exe
                              Filesize

                              1.7MB

                              MD5

                              aad00786cf6068be51bf11f5d90dece7

                              SHA1

                              ddc0f746b11a627d7dc3e57310a9c0aa6bf0eafd

                              SHA256

                              8d729d070030c50864e974ebe53d5430e59753a710eafe15cf3ddf878c130f4b

                              SHA512

                              bd3e3f1a35f683a913163122df0a6f0e8929ce7cee04609cd818b120ec420bc402f5e245607b7671bedfb877c9cd6db63a8f9919872a26de942a6e4b74015032

                              Download Submit

                            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                              Filesize

                              1.3MB

                              MD5

                              5e97b3a65f7f89c7f3290474e0e79dc2

                              SHA1

                              4ec4d912d9342e1b3b09584ab1d32f0bce8e2996

                              SHA256

                              50ee6c10c0ac2d8928a51cc1ed80bf8c6230e90035ba26fb405cdc66f50a99ee

                              SHA512

                              e5ae319d8ccef24fb8cd9651254bf9f612b72782fde8c0f23c5bffd013ed4082714369519ed25fc142e4f490d165d60722e2065f4b6ae473452c80f4e8d12b31

                              Download Submit

                            • C:\Windows\System32\FXSSVC.exe
                              Filesize

                              1.2MB

                              MD5

                              f355d3c427b66c9095b1827adce59d5c

                              SHA1

                              908c3d7a8655e5527e5c0386486f0f2547f49636

                              SHA256

                              919a610ac99f526e6976b12b038dcb97c2fef55c2ae6d1dd0725803a1bba723f

                              SHA512

                              b694ea2c64dcec6f4c7e25745571f393d5b17f828534cc4163a0195907fb49c7ac0e1c8d103e3b2eaeb035b4aee7d958b978a2c6fa4effce62c82289f58b6ed6

                              Download Submit

                            • C:\Windows\System32\Locator.exe
                              Filesize

                              1.2MB

                              MD5

                              a9d171f1ccbd8147c9c1105a27f7a656

                              SHA1

                              fde50bc1c7bacdbb33a600eae23d804c8d5a4b40

                              SHA256

                              edc9c4cd9cfb1b316e4f3ac27d890065855680b3705c27860357e6c03e15e50e

                              SHA512

                              a026bc2eace33516bbc3453b4915f047dd7481f9cded6237ad701bde89b47c325e10501120452e96cf1f05c2ad91ca7245d3c99eab1d3921442a0ef92d8ac41c

                              Download Submit

                            • C:\Windows\System32\OpenSSH\ssh-agent.exe
                              Filesize

                              1.5MB

                              MD5

                              3db2f16d0a5a6da101085696c3e7a353

                              SHA1

                              468088997835c71ce1a2b01180f121b11db49a5f

                              SHA256

                              89925cc6537ad1bba5d30be5508f32b9a78ce30f3e9a6f26bde6f4a1b87d9d0c

                              SHA512

                              5db353a6e203397ab0d094673ad858622dfc1c7d114bc5388922e53c508254c57f611f4646307e72b841184c91fcb002bbd99948d5801d933c2c9a129cbabd3d

                              Download Submit

                            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                              Filesize

                              1.3MB

                              MD5

                              162bc6b731b99a9fbc945855a9e45ab4

                              SHA1

                              80523a5d4c7a908e9e143a73b879907eb5b1c490

                              SHA256

                              0dd639d64d8791057df8f62a3e893a270bc6203156dfece8136d24b7705d7168

                              SHA512

                              4e13f2627cdba7710f7533acc760b97c3031ca346243dca32652eabe2213a81292318e43dc9d146446538e26b0276ed86d1a605d58d4e14cd2f20be0c8d8f79c

                              Download Submit

                            • C:\Windows\System32\SearchIndexer.exe
                              Filesize

                              1.4MB

                              MD5

                              15afae2d6e03a094e15de0e16c335ef8

                              SHA1

                              161697a94dd2781e03ac1ee4386664c8f6109d02

                              SHA256

                              d75e2d0d27b4e9b13514bbefed442e37dc77084c9379196743fe1af7af4cb5e7

                              SHA512

                              8d420b36e2bfb56a487f88d5d0c63f557329f34ab5aaf4a4eaea545f43198a28aca77278c3c2b85f50aefea35a5082791c8bacd82ea53eb053acccf01ed884f6

                              Download Submit

                            • C:\Windows\System32\SensorDataService.exe
                              Filesize

                              1.8MB

                              MD5

                              60d552e498d8489730f87a36d2dc6a26

                              SHA1

                              fdf75e06d8c946957f5e129efbb3e63bbdc2d4d8

                              SHA256

                              75eefff1ba768290ef64ce66d626bbc060bd867bb9ff7e6408339d272961571e

                              SHA512

                              bb068a883b3368ac986a3bc4809263213d2f77fc4c40154e101388da81fb82090979b3e880a42ee112637486e6ec413cc20fe99a78155454be84b2e83d85201e

                              Download Submit

                            • C:\Windows\System32\Spectrum.exe
                              Filesize

                              1.4MB

                              MD5

                              4dd365b02479014e7a0cf6a4c279c7bc

                              SHA1

                              46f20376f9e3b3bc39cf6263f7b8ccb0af28ddaa

                              SHA256

                              d49ed5315cbeb226f9524e198808ce70b97bc90869a053a777ea4a9369c5af3e

                              SHA512

                              cc52bcfd6d4b26396ec9e1bd2b15e41edfc58c032550cd8b32ab7deac4aa5a56e2904347fda5191f014ebf2d42c32b20fa1931bc6fde94d246ebeb0435f8e662

                              Download Submit

                            • C:\Windows\System32\TieringEngineService.exe
                              Filesize

                              1.5MB

                              MD5

                              419d20d79c3fe850c9c3929ef4fcfa1b

                              SHA1

                              6494816165ff4a49a4aa82c9eacddb14ca8195f5

                              SHA256

                              f2d4fb842556297f63afb6217fb4794937f6ec9ca2f27b7039b9f0ddc183982c

                              SHA512

                              49b7d460b46ca5faf6462927f68218a13414a6e36b4f2f0b281215003846f9a046fc2a2d60cf08a65239ae433354ac44085f53ffd8b2af047997842d3fe53127

                              Download Submit

                            • C:\Windows\System32\VSSVC.exe
                              Filesize

                              2.0MB

                              MD5

                              05b06d69a0c88e02ebfdf1b780851336

                              SHA1

                              d1d097ab836a31ef6a41963c5366a82d7af2c098

                              SHA256

                              ecf4ad3e73cb374f6b3e302f74c8ad14f12a748ab634ec915d2994a1ba898cfb

                              SHA512

                              b47b9382c872e7821db2b276783b3e3968da8ff1b5c006358d36c39207feed477a1f7085987a75165c11edeb6612074028bc24255f8e01023181cf7a33c48fe6

                              Download Submit

                            • C:\Windows\System32\alg.exe
                              Filesize

                              1.3MB

                              MD5

                              31380a08e41bafa10f5a0cfdf6d54f57

                              SHA1

                              15aeabff99aa18328d48f30e05872e2d350b202d

                              SHA256

                              64ec5391dd1108656fafb229b17931ed2d19dabe26e8df8c96df6edde8e8da4f

                              SHA512

                              fb81f63101a04ac2c789702d8a3b56e7d01fe7d00403229748c8bc2e1eec29d913824a09fab1a0e34f43ea6712eba76db883a0cf27e07483d31130dd44c38d42

                              Download Submit

                            • C:\Windows\System32\msdtc.exe
                              Filesize

                              1.3MB

                              MD5

                              603a3e13f8bd8595ea09efef1cedea0f

                              SHA1

                              a9b23f11d5a520ee470110e55fff40fbb2c3a5aa

                              SHA256

                              051104e790c477123e76c29f655119d7f469e794363e957c5e3a511f359a5edd

                              SHA512

                              0b5ffbf2af8ba4548f9f1dba359123e51f4dd1ef8a78bf4e60b9cf91ccc45ec4c3b3cc63a2e90289923ac10b4e7222deca770c5f35f5532626b8cacf0e943596

                              Download Submit

                            • C:\Windows\System32\snmptrap.exe
                              Filesize

                              1.2MB

                              MD5

                              d132277cd32680f0f61d073916d529f0

                              SHA1

                              5e37a7baea3c8562c4def13c09e76727812701fd

                              SHA256

                              942c7048e024bc88dfd9b9e2bd20e5cac8b1d077d6f5e9ee60a2dcf7e3231427

                              SHA512

                              f4908c3f8e03dcb2ee0999d3ad3f3e2fd8a5b1caf18105e298ab9efd3df895995733ae06263523e51f455f28176487e73d28f1cc973512b8ddd3e03faea28fc2

                              Download Submit

                            • C:\Windows\System32\vds.exe
                              Filesize

                              1.3MB

                              MD5

                              944351ca85b2466460c0273c04243feb

                              SHA1

                              b46acff75ef0fe122e26c918f1093b422d064442

                              SHA256

                              ce4a83f95a0269a5e916ccede6482b8aa9b579c5ad3005512085f02796e396ed

                              SHA512

                              3b8c478b0ffce2049bf9c28b3097d26f5eda8685a0cd2a4862e756c38c3e551687c73a684e88f48a9c43e04d80e337e4ed01fd820a2fbcec67f108a50210c1ed

                              Download Submit

                            • C:\Windows\System32\wbem\WmiApSrv.exe
                              Filesize

                              1.4MB

                              MD5

                              35c785632b7c10e91eeff00399d0a323

                              SHA1

                              7caa4afda5ab73d7c2aab188c5442c3453c6e219

                              SHA256

                              e06148954e2b1cb0ab819a08e308fe8b981575d772fa7aa545c8e3f45a4e6f30

                              SHA512

                              872fbc5cb5f7a5a8c9397a2936c063e5697c89cd6a33d544d1d641f7d7335a5ec6cee162c92c24c582055e262b4181417fd2140399e464314582c84b96cf111b

                              Download Submit

                            • C:\Windows\System32\wbengine.exe
                              Filesize

                              2.1MB

                              MD5

                              9a1e58cb36e666bdc343417432e467ad

                              SHA1

                              4ae5af07bb0b7689f8ecada238135cfb309d4d32

                              SHA256

                              a26198814de3798eab6f5136a72a225c7d489d69df0fda9c433e095aaa3d26b0

                              SHA512

                              820125ac208a47c54625dcee2d852c4907986a0c91b227f90075d75a27d2fd9154bcdb2ec87c7c035f7ecbf0ef6b1adde6a9ff7f5ee0eb5548dbe5a6138bc9c7

                              Download Submit

                            • memory/220-490-0x0000000140000000-0x0000000140179000-memory.dmp

                              Filesize

                              1.5MB

                              Download

                            • memory/220-275-0x0000000140000000-0x0000000140179000-memory.dmp

                              Filesize

                              1.5MB

                              Download

                            • memory/1480-6720-0x0000000000400000-0x00000000009E6000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/1480-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

                              Filesize

                              412KB

                              Download

                            • memory/1480-8-0x00000000009F0000-0x0000000000A57000-memory.dmp

                              Filesize

                              412KB

                              Download

                            • memory/1480-0-0x0000000000400000-0x00000000009E6000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/1480-69-0x0000000000400000-0x00000000009E6000-memory.dmp

                              Filesize

                              5.9MB

                              Download

                            • memory/1540-86-0x0000000000EA0000-0x0000000000F00000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/1540-88-0x0000000140000000-0x0000000140135000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/1540-38-0x0000000140000000-0x0000000140135000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/1540-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/1540-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/2240-318-0x0000000140000000-0x0000000140169000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/2240-167-0x0000000140000000-0x0000000140169000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/3548-199-0x0000000140000000-0x00000001401F8000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/3548-90-0x0000000140000000-0x00000001401F8000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/3548-91-0x0000000000630000-0x0000000000690000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/3700-140-0x0000000140000000-0x00000001401D4000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/3700-240-0x0000000140000000-0x00000001401D4000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/3972-489-0x0000000140000000-0x0000000140205000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/3972-262-0x0000000140000000-0x0000000140205000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/4316-227-0x0000000140000000-0x0000000140147000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/4316-441-0x0000000140000000-0x0000000140147000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/4504-7680-0x0000000000400000-0x0000000000577000-memory.dmp

                              Filesize

                              1.5MB

                              Download

                            • memory/4504-6722-0x0000000000400000-0x0000000000577000-memory.dmp

                              Filesize

                              1.5MB

                              Download

                            • memory/4584-85-0x0000000140000000-0x0000000140214000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/4584-83-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4584-72-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4584-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4584-80-0x0000000140000000-0x0000000140214000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/4632-129-0x0000000000400000-0x00000000005D6000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/4632-237-0x0000000000400000-0x00000000005D6000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/4696-399-0x0000000140000000-0x0000000140221000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/4696-200-0x0000000140000000-0x0000000140221000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/4780-60-0x0000000000890000-0x00000000008F0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4780-70-0x0000000140000000-0x0000000140266000-memory.dmp

                              Filesize

                              2.4MB

                              Download

                            • memory/4780-66-0x0000000000890000-0x00000000008F0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4780-166-0x0000000140000000-0x0000000140266000-memory.dmp

                              Filesize

                              2.4MB

                              Download

                            • memory/4808-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4808-162-0x0000000140000000-0x000000014025F000-memory.dmp

                              Filesize

                              2.4MB

                              Download

                            • memory/4808-57-0x0000000140000000-0x000000014025F000-memory.dmp

                              Filesize

                              2.4MB

                              Download

                            • memory/4808-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/4840-211-0x0000000140000000-0x00000001401C0000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/4840-215-0x0000000140000000-0x00000001401C0000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/5060-111-0x0000000140000000-0x000000014020E000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/5060-210-0x0000000140000000-0x000000014020E000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/5116-123-0x0000000140000000-0x00000001401EA000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/5116-226-0x0000000140000000-0x00000001401EA000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/5540-251-0x0000000140000000-0x0000000140216000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/5540-488-0x0000000140000000-0x0000000140216000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/5608-410-0x0000000140000000-0x00000001401D7000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/5608-250-0x0000000140000000-0x00000001401D7000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/5608-151-0x0000000140000000-0x00000001401D7000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/5680-21-0x00000000006E0000-0x0000000000740000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/5680-20-0x0000000140000000-0x00000001401E9000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/5680-12-0x00000000006E0000-0x0000000000740000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/5680-122-0x0000000140000000-0x00000001401E9000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/5688-341-0x0000000140000000-0x0000000140241000-memory.dmp

                              Filesize

                              2.3MB

                              Download

                            • memory/5688-187-0x0000000140000000-0x0000000140241000-memory.dmp

                              Filesize

                              2.3MB

                              Download

                            • memory/6076-266-0x0000000140000000-0x00000001401D5000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/6076-164-0x0000000140000000-0x00000001401D5000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/6120-26-0x00000000004C0000-0x0000000000520000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/6120-35-0x00000000004C0000-0x0000000000520000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/6120-34-0x0000000140000000-0x00000001401E8000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/6132-442-0x0000000140000000-0x00000001401FC000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/6132-238-0x0000000140000000-0x00000001401FC000-memory.dmp

                              Filesize

                              2.0MB

                              Download