667b472a0672133a75304d8b64972ac18a14949a2fcdfc0fa7a56b319a06a31e

Analysis

max time kernel
130s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS_Setup.exe
Size

246.3MB
MD5

4b3226ecc1da133e846eebc9af9b915a
SHA1

46403afddb737e4d363446ff617475ae1bbfee21
SHA256

667b472a0672133a75304d8b64972ac18a14949a2fcdfc0fa7a56b319a06a31e
SHA512

4f9ee9d1d106cb3b02e150bd8a625b24cd5e486d62de843c00bd17009c6414c217a9f5c607530b2c88fbddfdea71ad7046634f592e37e9a7b7cdc7afd371bc4c
SSDEEP

6291456:LGDVFnDNs5uOY2MuZHl1aQgAxW/AZH97nlI7Ec:LkPD/3zubzgJsH9b+7b

Score

8^/10

adware bootkit defense_evasion discovery persistence privilege_escalation stealer trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
61	868	ksomisc.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP	198	119.29.29.29	2128	WPS_Setup.exe
Destination IP		223.6.6.6		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP	75	223.6.6.6	4260	wpscloudsvr.exe
Destination IP		223.6.6.6		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP	76	223.5.5.5	2128	WPS_Setup.exe
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP	201	223.6.6.6	2128	WPS_Setup.exe
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP	203	223.5.5.5	2128	WPS_Setup.exe
Destination IP		223.5.5.5		Process not Found
Destination IP		223.5.5.5		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP	69	223.5.5.5	3448	wps.exe
Destination IP		223.5.5.5		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		119.29.29.29		Process not Found
Destination IP		223.6.6.6		Process not Found
Destination IP		223.6.6.6		Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpsphotoautoasso = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.1.0.18912\\office6\\photolaunch.exe\" /photo /checkasso"	WPS_Setup.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783E484C-5E48-457B-A361-2DB2147CD2B4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783E484C-5E48-457B-A361-2DB2147CD2B4}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS_Setup.exe
File opened for modification	\??\PhysicalDrive0	WPS_Setup.exe
File opened for modification	\??\PhysicalDrive0	ksomisc.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe	WPS_Setup.exe

Executes dropped EXE 62 IoCs

pid	Process
2128	WPS_Setup.exe
2376	WPS_Setup.exe
3592	ksomisc.exe
4532	ksomisc.exe
1232	ksomisc.exe
5716	wpscloudsvr.exe
3760	ksomisc.exe
5596	ksomisc.exe
3880	ksomisc.exe
1184	ksomisc.exe
2044	ksomisc.exe
2028	ksomisc.exe
712	ksomisc.exe
3508	ksomisc.exe
4788	ksomisc.exe
1616	ksomisc.exe
5348	ksomisc.exe
4984	ksomisc.exe
1748	ksomisc.exe
1632	pinTaskbar.exe
4912	ksomisc.exe
3176	ksomisc.exe
2636	ksomisc.exe
3380	ksomisc.exe
4420	wpsupdate.exe
6028	wpsupdate.exe
4408	wpsupdate.exe
6128	ksomisc.exe
4604	ksomisc.exe
1348	ksomisc.exe
2412	ksomisc.exe
1212	ksomisc.exe
5052	ksomisc.exe
660	ksomisc.exe
5580	ksomisc.exe
5036	ksomisc.exe
4116	ksomisc.exe
4600	ksomisc.exe
3624	ksomisc.exe
2976	photolaunch.exe
5600	ksomisc.exe
5508	ksomisc.exe
5244	ksomisc.exe
4472	ksomisc.exe
4824	ksomisc.exe
3880	ksomisc.exe
868	ksomisc.exe
4456	ksomisc.exe
5960	ksomisc.exe
780	ksomisc.exe
2840	ksomisc.exe
6084	ksomisc.exe
1488	ksomisc.exe
1072	Kvpins64.exe
3704	ksomisc.exe
3448	wps.exe
4260	wpscloudsvr.exe
488	photolaunch.exe
3848	ksolaunch.exe
5684	ksolaunch.exe
3436	wps.exe
2368	wpscloudsvr.exe

Loads dropped DLL 64 IoCs

pid	Process
2956	WPS_Setup.exe
2956	WPS_Setup.exe
2956	WPS_Setup.exe
2956	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
3592	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\Open With qingshellext	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\Open With qingshellext\ = "{67F4D210-BFC2-4ADD-9A2A-C9B9E1F42C4F}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\QingNseContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\QingNseContextMenu\ = "{AA147FFB-0B1F-4BB1-9B1E-8D062B35C146}"	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wpscloudsvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	photolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	photolaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpscloudsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksomisc.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x001900000002b129-5210.dat	nsis_installer_1
behavioral2/files/0x001900000002b129-5210.dat	nsis_installer_2

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000244E7-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000208B1-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E160-0000-0000-C000-000000000046}	ksomisc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\ET.Xlt.6\shell\open	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{4632C068-CEAB-4371-A498-06E2437D3589}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.dps\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C03BF-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0360-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002091C-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020896-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C1715-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000CD901-0000-0000-C000-000000000046}\TypeLib\Version = "63.1"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000244BA-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{CE015F62-05ED-4CFE-9B40-D5345BDC7B1F}\Verb\0\ = "打开(&O),0,2"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.PIC.tga\shell	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000CD900-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{E3124493-7D6A-410F-9A48-CC822C033CEC}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{45541089-5750-5300-4B49-4E47534F4655}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\DefaultIcon\.ksobak	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0312-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000CDB00-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020954-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000209B3-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020854-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{54F46DC4-F6A6-48CC-BD66-46C1DDEADD22}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C033D-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{74D13AA5-8894-4B69-BB24-61F21CFC8FDC}\TypeLib\Version = "1.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E16A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E17E-0000-0000-C000-000000000046}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0318-0000-0000-C000-000000000046}	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{B923FDE0-F08C-11D3-91B0-00105A0A19FD}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{DD947D72-F33C-4198-9BDF-F86181D05E41}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020990-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.epub	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.Docx.6\Insertable	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.PIC.ppm\shell\open\FriendlyAppName = "WPS 图片"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{B65AD801-ABAF-11D0-BB8B-00A0C90F2744}\TypeLib\ = "{A537E638-AB2A-4308-A502-2EFF280C6E98}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C038B-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{799A6814-EA41-11D3-87CC-00105AA31A34}\TypeLib\Version = "3.0"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00020A02-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020A01-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\KET.Template.12\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.1.0.18912\\office6\\wpsofficeicon.dll,17"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00024448-0000-0000-C000-000000000046}\TypeLib	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00020913-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{C04865A3-9F8A-486C-BB58-B4C3E6563136}\ = "DisplayUnitLabel"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00024458-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{CE015F64-05ED-4CFE-9B40-D5345BDC7B1F}\ProxyStubClsid32	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0333-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000672AC-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0377-0000-0000-C000-000000000046}\ProxyStubClsid32	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000209DC-0000-0000-C000-000000000046}	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\Programmable\	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000208A5-0000-0000-C000-000000000046}\ = "TextBoxes"	ksomisc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C0308-0000-0000-C000-000000000046}\ = "CommandBarControl"	ksomisc.exe

Modifies system certificate store 2 TTPs 64 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\Certificates	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	ksomisc.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CTLs	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot	wps.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	wps.exe

Suspicious behavior: AddClipboardFormatListener 49 IoCs

pid	Process
2128	WPS_Setup.exe
3592	ksomisc.exe
4532	ksomisc.exe
1232	ksomisc.exe
3760	ksomisc.exe
5596	ksomisc.exe
3880	ksomisc.exe
1184	ksomisc.exe
2044	ksomisc.exe
2028	ksomisc.exe
712	ksomisc.exe
3508	ksomisc.exe
4788	ksomisc.exe
1616	ksomisc.exe
5348	ksomisc.exe
4984	ksomisc.exe
1748	ksomisc.exe
4912	ksomisc.exe
3176	ksomisc.exe
2636	ksomisc.exe
3380	ksomisc.exe
6128	ksomisc.exe
4604	ksomisc.exe
1348	ksomisc.exe
2412	ksomisc.exe
1212	ksomisc.exe
5052	ksomisc.exe
660	ksomisc.exe
5580	ksomisc.exe
5036	ksomisc.exe
4116	ksomisc.exe
4600	ksomisc.exe
3624	ksomisc.exe
5600	ksomisc.exe
5508	ksomisc.exe
5244	ksomisc.exe
4472	ksomisc.exe
4824	ksomisc.exe
3880	ksomisc.exe
868	ksomisc.exe
4456	ksomisc.exe
5960	ksomisc.exe
780	ksomisc.exe
2840	ksomisc.exe
6084	ksomisc.exe
1488	ksomisc.exe
3448	wps.exe
3704	ksomisc.exe
4260	wpscloudsvr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	WPS_Setup.exe
2956	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2376	WPS_Setup.exe
2376	WPS_Setup.exe
2376	WPS_Setup.exe
2376	WPS_Setup.exe
2376	WPS_Setup.exe
2376	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
2128	WPS_Setup.exe
4532	ksomisc.exe
4532	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
3592	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
4532	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
5716	wpscloudsvr.exe
5716	wpscloudsvr.exe
3760	ksomisc.exe
3760	ksomisc.exe
3760	ksomisc.exe
3760	ksomisc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2128	WPS_Setup.exe
3448	wps.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	WPS_Setup.exe
Token: SeRestorePrivilege	2128	WPS_Setup.exe
Token: SeRestorePrivilege	2128	WPS_Setup.exe
Token: SeRestorePrivilege	2128	WPS_Setup.exe
Token: SeRestorePrivilege	2128	WPS_Setup.exe
Token: SeDebugPrivilege	4532	ksomisc.exe
Token: SeDebugPrivilege	3592	ksomisc.exe
Token: SeLockMemoryPrivilege	4532	ksomisc.exe
Token: SeLockMemoryPrivilege	3592	ksomisc.exe
Token: SeDebugPrivilege	1232	ksomisc.exe
Token: SeLockMemoryPrivilege	1232	ksomisc.exe
Token: SeDebugPrivilege	3760	ksomisc.exe
Token: SeLockMemoryPrivilege	3760	ksomisc.exe
Token: SeDebugPrivilege	5596	ksomisc.exe
Token: SeLockMemoryPrivilege	5596	ksomisc.exe
Token: SeDebugPrivilege	3880	ksomisc.exe
Token: SeLockMemoryPrivilege	3880	ksomisc.exe
Token: SeDebugPrivilege	1184	ksomisc.exe
Token: SeLockMemoryPrivilege	1184	ksomisc.exe
Token: SeDebugPrivilege	2044	ksomisc.exe
Token: SeLockMemoryPrivilege	2044	ksomisc.exe
Token: SeDebugPrivilege	2028	ksomisc.exe
Token: SeLockMemoryPrivilege	2028	ksomisc.exe
Token: SeDebugPrivilege	712	ksomisc.exe
Token: SeLockMemoryPrivilege	712	ksomisc.exe
Token: SeDebugPrivilege	3508	ksomisc.exe
Token: SeLockMemoryPrivilege	3508	ksomisc.exe
Token: SeDebugPrivilege	4788	ksomisc.exe
Token: SeLockMemoryPrivilege	4788	ksomisc.exe
Token: SeDebugPrivilege	1616	ksomisc.exe
Token: SeLockMemoryPrivilege	1616	ksomisc.exe
Token: SeDebugPrivilege	5348	ksomisc.exe
Token: SeLockMemoryPrivilege	5348	ksomisc.exe
Token: SeDebugPrivilege	4984	ksomisc.exe
Token: SeLockMemoryPrivilege	4984	ksomisc.exe
Token: SeDebugPrivilege	1748	ksomisc.exe
Token: SeLockMemoryPrivilege	1748	ksomisc.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeDebugPrivilege	4912	ksomisc.exe
Token: SeLockMemoryPrivilege	4912	ksomisc.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeDebugPrivilege	3176	ksomisc.exe
Token: SeLockMemoryPrivilege	3176	ksomisc.exe
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE
Token: SeCreatePagefilePrivilege	3328	Explorer.EXE
Token: SeShutdownPrivilege	3328	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2128	WPS_Setup.exe
3328	Explorer.EXE

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2128	WPS_Setup.exe
3592	ksomisc.exe
4532	ksomisc.exe
3592	ksomisc.exe
4532	ksomisc.exe
1232	ksomisc.exe
1232	ksomisc.exe
3760	ksomisc.exe
3760	ksomisc.exe
5596	ksomisc.exe
5596	ksomisc.exe
3880	ksomisc.exe
3880	ksomisc.exe
1184	ksomisc.exe
1184	ksomisc.exe
2044	ksomisc.exe
2044	ksomisc.exe
2028	ksomisc.exe
2028	ksomisc.exe
712	ksomisc.exe
712	ksomisc.exe
712	ksomisc.exe
712	ksomisc.exe
3508	ksomisc.exe
3508	ksomisc.exe
4788	ksomisc.exe
4788	ksomisc.exe
1616	ksomisc.exe
1616	ksomisc.exe
5348	ksomisc.exe
5348	ksomisc.exe
4984	ksomisc.exe
4984	ksomisc.exe
1748	ksomisc.exe
1748	ksomisc.exe
4912	ksomisc.exe
4912	ksomisc.exe
3176	ksomisc.exe
3176	ksomisc.exe
2636	ksomisc.exe
2636	ksomisc.exe
3380	ksomisc.exe
3380	ksomisc.exe
6128	ksomisc.exe
6128	ksomisc.exe
4604	ksomisc.exe
4604	ksomisc.exe
1348	ksomisc.exe
1348	ksomisc.exe
2412	ksomisc.exe
2412	ksomisc.exe
1212	ksomisc.exe
1212	ksomisc.exe
5052	ksomisc.exe
5052	ksomisc.exe
660	ksomisc.exe
660	ksomisc.exe
5580	ksomisc.exe
5580	ksomisc.exe
5036	ksomisc.exe
5036	ksomisc.exe
4116	ksomisc.exe
4600	ksomisc.exe
3624	ksomisc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2128	2956	WPS_Setup.exe	78
PID 2956 wrote to memory of 2128	2956	WPS_Setup.exe	78
PID 2956 wrote to memory of 2128	2956	WPS_Setup.exe	78
PID 2128 wrote to memory of 3592	2128	WPS_Setup.exe	82
PID 2128 wrote to memory of 3592	2128	WPS_Setup.exe	82
PID 2128 wrote to memory of 3592	2128	WPS_Setup.exe	82
PID 2376 wrote to memory of 4532	2376	WPS_Setup.exe	83
PID 2376 wrote to memory of 4532	2376	WPS_Setup.exe	83
PID 2376 wrote to memory of 4532	2376	WPS_Setup.exe	83
PID 2376 wrote to memory of 1232	2376	WPS_Setup.exe	84
PID 2376 wrote to memory of 1232	2376	WPS_Setup.exe	84
PID 2376 wrote to memory of 1232	2376	WPS_Setup.exe	84
PID 2128 wrote to memory of 5716	2128	WPS_Setup.exe	85
PID 2128 wrote to memory of 5716	2128	WPS_Setup.exe	85
PID 2128 wrote to memory of 5716	2128	WPS_Setup.exe	85
PID 2128 wrote to memory of 3760	2128	WPS_Setup.exe	86
PID 2128 wrote to memory of 3760	2128	WPS_Setup.exe	86
PID 2128 wrote to memory of 3760	2128	WPS_Setup.exe	86
PID 2376 wrote to memory of 5596	2376	WPS_Setup.exe	87
PID 2376 wrote to memory of 5596	2376	WPS_Setup.exe	87
PID 2376 wrote to memory of 5596	2376	WPS_Setup.exe	87
PID 2376 wrote to memory of 3880	2376	WPS_Setup.exe	88
PID 2376 wrote to memory of 3880	2376	WPS_Setup.exe	88
PID 2376 wrote to memory of 3880	2376	WPS_Setup.exe	88
PID 2128 wrote to memory of 1184	2128	WPS_Setup.exe	89
PID 2128 wrote to memory of 1184	2128	WPS_Setup.exe	89
PID 2128 wrote to memory of 1184	2128	WPS_Setup.exe	89
PID 2128 wrote to memory of 2044	2128	WPS_Setup.exe	90
PID 2128 wrote to memory of 2044	2128	WPS_Setup.exe	90
PID 2128 wrote to memory of 2044	2128	WPS_Setup.exe	90
PID 2376 wrote to memory of 2028	2376	WPS_Setup.exe	91
PID 2376 wrote to memory of 2028	2376	WPS_Setup.exe	91
PID 2376 wrote to memory of 2028	2376	WPS_Setup.exe	91
PID 2376 wrote to memory of 712	2376	WPS_Setup.exe	93
PID 2376 wrote to memory of 712	2376	WPS_Setup.exe	93
PID 2376 wrote to memory of 712	2376	WPS_Setup.exe	93
PID 2376 wrote to memory of 3508	2376	WPS_Setup.exe	94
PID 2376 wrote to memory of 3508	2376	WPS_Setup.exe	94
PID 2376 wrote to memory of 3508	2376	WPS_Setup.exe	94
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 3508 wrote to memory of 400	3508	ksomisc.exe	95
PID 2376 wrote to memory of 4788	2376	WPS_Setup.exe	96
PID 2376 wrote to memory of 4788	2376	WPS_Setup.exe	96
PID 2376 wrote to memory of 4788	2376	WPS_Setup.exe	96
PID 2376 wrote to memory of 1616	2376	WPS_Setup.exe	97
PID 2376 wrote to memory of 1616	2376	WPS_Setup.exe	97
PID 2376 wrote to memory of 1616	2376	WPS_Setup.exe	97
PID 2376 wrote to memory of 5348	2376	WPS_Setup.exe	98
PID 2376 wrote to memory of 5348	2376	WPS_Setup.exe	98
PID 2376 wrote to memory of 5348	2376	WPS_Setup.exe	98
PID 2376 wrote to memory of 4984	2376	WPS_Setup.exe	99
PID 2376 wrote to memory of 4984	2376	WPS_Setup.exe	99
PID 2376 wrote to memory of 4984	2376	WPS_Setup.exe	99
PID 2376 wrote to memory of 1748	2376	WPS_Setup.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328
- C:\Users\Admin\AppData\Local\Temp\WPS_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\WPS_Setup.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe
    "C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe" /ThemeIndex=#ThemeIndex#
    3⤵
    - Unexpected DNS network traffic destination
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -kccmove C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\\CONTROL
      4⤵
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3592
  - - C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe
      "C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5716
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addFirewallRule
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3760
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regmtfont
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1184
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -setappcap
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2044
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -registerqingshellext 1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:2636
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingshellext64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:868
      - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingshellext64.dll"
        6⤵
        Modifies system executable filetype association
        
        PID:2396
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" -createtask
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6028
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -setappcap
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1212
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -assoepub -source=1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:5052
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -clearmso2pdfplugins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:4116
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -cleardocermsoplugins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:4600
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -assopic_setup
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:3624
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -uninstalldatarecover
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:5960
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.exe" /i "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.inf" /s
      4⤵
      Executes dropped EXE
      PID:1072
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\kvpvbsext.dll",_X86ScriptHostEntry VBScript E8898119CEBC48D9A441A41D1B54BF58 1 Uninstall /_X64Cast
        5⤵
        
        PID:444
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\kvpvbsext.dll",_X86ScriptHostEntry VBScript E7C8E26D56944AA2886625ACB951F360 1 Install /_X64Cast
        5⤵
        
        PID:868
    - - C:\Windows\system32\spool\DRIVERS\x64\3\kvpet.exe
        
        C:\Windows\system32\spool\DRIVERS\x64\3\kvpet.exe pdf_virtualprinter_install 0x424, 0x68
        5⤵
        
        PID:3576
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -defragment
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      PID:3704
- - C:\ProgramData\kingsoft\20250328_152805\oem_static.exe
    "C:\ProgramData\kingsoft\20250328_152805\oem_static.exe"
    3⤵
    PID:4256
- C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe
  "C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E57AC9B -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setlng zh_CN
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4532
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -fixoldversionassostatus
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1232
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setservers
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5596
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -register
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3880
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regprogid true
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assowordexcelpowerpnt 1 1 1 -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:712
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -compatiblemso -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\openwith.exe
      "C:\Windows\SysWOW64\openwith.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:400
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -checkcompatiblemso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -saveas_mso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -distsrc 12012.2019
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5348
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -sendinstalldyn 5
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4984
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1748
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\pinTaskbar.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\pinTaskbar.exe" "C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk" 5386
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addcontextmenushellnew
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4912
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regvascontextmenushellnew
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3176
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regkwpsshellext admin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3380
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kwpsshellext64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5032
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kwpsshellext64.dll"
        5⤵
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" /from:setup
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4420
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -collectfileassoinfo -module=1;2;4;8 -daily -source=1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:6128
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" -createtask
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4408
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kdesktopshellext\kdesktopshellext64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
  - - C:\Windows\system32\regsvr32.exe
      /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kdesktopshellext\kdesktopshellext64.dll"
      4⤵
      PID:2596
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regyunpanfornew -forceperusermode
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4604
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /u /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
    - - C:\Windows\system32\regsvr32.exe
        
        /s /u /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:1720
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /u /n /i:overlayicon "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5940
    - - C:\Windows\system32\regsvr32.exe
        
        /s /u /n /i:overlayicon "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:6076
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /u /n /i:contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5140
    - - C:\Windows\system32\regsvr32.exe
        
        /s /u /n /i:contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:5892
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /u /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
    - - C:\Windows\system32\regsvr32.exe
        
        /s /u /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:1848
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regqingdriveshellext_install -forceperusermode
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1348
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*install "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:qingdriveshellext*install "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:1236
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*thumbnail "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      PID:3472
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:qingdriveshellext*thumbnail "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*drivebho "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5796
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:qingdriveshellext*drivebho "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        Installs/modifies Browser Helper Object
        
        PID:1656
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      PID:2228
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:qingdriveshellext*contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        Modifies system executable filetype association
        
        PID:664
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:5600
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*onlinefile "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5388
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:qingdriveshellext*onlinefile "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"
        5⤵
        
        PID:2104
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setup_assopdf -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assofdf -source=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:660
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createsubmodulelink desktop prometheus
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:5580
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:5036
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /createlink /install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assoofd -source=1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:5600
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assoopg -source=1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:5508
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regcadfileasso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:5244
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regarchivefileasso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:4472
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -installbrowserextensionhost
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:4824
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regvideoeditsetupfileasso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:3880
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regemmxfileasso
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:868
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regeddxfileasso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:4456
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -repair3rdlink
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:780
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createexternstartmenu "WPS Office"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:2840
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -rebuildicon
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:6084
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addJsapiCert
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:1488
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe" /prometheus /from=autostart_after_install
    3⤵
    - Unexpected DNS network traffic destination
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3448
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin
      4⤵
      Unexpected DNS network traffic destination
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:4260
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing
        5⤵
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing
        6⤵
        
        PID:5960
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing
        5⤵
        
        PID:540
      - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing
        6⤵
        
        PID:440
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\promecefpluginhost.exe
      "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=zh-CN --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --mojo-platform-channel-handle=3588 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:2
      4⤵
      PID:5152
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\promecefpluginhost.exe
      "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=zh-CN --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --mojo-platform-channel-handle=3988 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:8
      4⤵
      PID:4556
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3448 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --js-flags=--expose-gc --lang=zh-CN --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4648 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      PID:708
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3448 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --js-flags=--expose-gc --lang=zh-CN --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=4656 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:1
      4⤵
      PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /checkasso
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe
    "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /checkasso
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:488
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /wpscloudlaunch /run_plugin /plugin_name=kfileassociate /plugin_type=dll /plugin_entry=EntryPoint /action=regassocall /src=auto
      4⤵
      Executes dropped EXE
      PID:3848
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /wpscloudlaunch /run_plugin /plugin_name=kfileassociate /plugin_type=dll /plugin_entry=EntryPoint /action=regassocall /src=auto
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe
      "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" Run addons/kpluginwrapper/kpluginwrapper.dll run_plugin -plugin_name=kmessagepushcenter -dll_name=kmessagepushcenter silentreg
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5684
    - - C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe
        
        "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe" Run addons/kpluginwrapper/kpluginwrapper.dll run_plugin -plugin_name=kmessagepushcenter -dll_name=kmessagepushcenter silentreg
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kingsoft\20250328_152805\oem.ini

Filesize
1KB

MD5
fcabcea14f78b332e4abdeed9cd18d2e

SHA1
ee11337ae6cbb169ac9617ea43a564334d0ebe55

SHA256
40f6eccdfe1de78f5ef4f803ebb4f4d47e7cb6619d48eea6242197768be4a58b

SHA512
abc881835fc61dc0f11b5acb8cd6d34215ca2365eb937040e757d93b6b8cc59aae375b160e55a3bdddbcfbe995c881cb4420f61fbe716dcfb3f34825611b43d9

Download Submit
C:\ProgramData\kingsoft\20250328_152805\oeminfo\oem.exe

Filesize
81KB

MD5
2f2e967a23a459de0f9ec166eedeb9f2

SHA1
20198b7f783fa0fec5931d7cfaaf7eccf0834ee1

SHA256
b3058bec266f4310750d6ccd60fe0aa70e6ab7b2a998a10e14bf98606561044f

SHA512
343745a31bcc78817e0fe6a27d0308cd7eb8c422acfcf8c676f2c1431b94092a2575f36993197440ebeda53bcd8a5f67b778fb1f0ffa4e84ccae732b2b3b8e31

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\Qt5NetworkKso.dll

Filesize
1.1MB

MD5
597cf6fa94b9d03b72874dc22a840990

SHA1
48f7599074147cf06a0082227902496dfad9691b

SHA256
665526fb362589d409da4a0da90cf19fccfbe26e8ce6e3b393ea0a10ec911035

SHA512
c86b51853897bea67d696152e519b420fd91a67cd32d50a0763f8b752d68f87bd9e6af02f33b3b93ae8f90199ea41982cff780544c6118adbeea61e3e9ff2e43

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\Qt5XmlKso.dll

Filesize
170KB

MD5
928df087cecfde22330a8c3813091c25

SHA1
dcda6ba1d5583a22eb2cd03eb7cb2ccc35697c2f

SHA256
46f3ef62fc1aa886283552c051613df9395f426c513ae700ac069fcbf6629188

SHA512
98747014979b913e2cc4767759d971f29f93eff89d3c26d4d68022619a51be2d37823acd036d0a7eeefd03db532139b9158f39529fafdf03afaef4485a8c4f82

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\ketaitoolbox\run.ini

Filesize
171B

MD5
b30cb271e143eace0f55ea2e562e1e9f

SHA1
9d97dbf24931cfc114384c3f4dbbae21c9e51be5

SHA256
3ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658

SHA512
dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kskincenter\ksolaunch\normal\logo-small.png

Filesize
6KB

MD5
8d650fe389e3665607fdbf938c1a1722

SHA1
2e545f9555ff22313e4ce113995d8aa694e5cab8

SHA256
8bad76a7433cf4662c38a539c2429336d65feeeef1bb5c6435928a9574b216f8

SHA512
f116621bfecb602d02919eb1ee9d7dc92e82b313b8b54cda42ab48c5e7ec60b02005edcad763fff6b497ca4bc46e83cb0c9a249be791f245bb9c599950fdf015

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kskincenter\ksolaunch\normal\logo.png

Filesize
12KB

MD5
d58510dca6b659c6e4ba7a454d5b75ce

SHA1
e142de2dda3811a2e8bbbb2eb64d366e8eb9ea3c

SHA256
ddfd8c3e15c7a4667e369546fd8be6e7dd24be632acba2692ffbfc4272eb6518

SHA512
42409f9976ad08ecf1756d1c2915f3ffd17cdc78e9ff552c0a08bdfa2fda8960e408721bfc9de1a5ed9c9aca3e23b97adb721b3c51b6b3f0ed3ee4a4c780cf88

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kwebpromehelp\run.ini

Filesize
226B

MD5
abc3a6089b0ea76ffc960fbc9b6e66d1

SHA1
50ad0cb201c13799024de56cf45116cf65ff5569

SHA256
c2fcf4d5d04350a76c4ce6b06db287d9e9c63b0f886fae500ac27b0627d38cc9

SHA512
ec1e32b7bed882095b23e049a4e1a86acf0bf993e2f691105ffbd99d93ebf28faad4fbdd645ac1eefa74ede575854a3994c7c6d2bacc6f7a09a1991561b1a44b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\qing\mui\zh_CN\res\qingaccount\ferrPage_timeout.html

Filesize
7KB

MD5
9b7a36d32ed674b3cb4d247d17b71794

SHA1
e756cff87d95360675b56b9ee4e2dd71bb96a852

SHA256
eb5dc549d839abd9dd7fb725629198959c7e5b0322454cf3c3bac89c57f53ca9

SHA512
97520f64605b0f2690a03b1bf42eaae8b3d4b10c0925081ac250ed6bdba190d16368fafa0ec11783dd21177becc4d945acfbb327fdab32ff6350dc3155f58721

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\wpsbox\mui\default\html\syncassistant\favicon.ico

Filesize
4KB

MD5
1ba2ae710d927f13d483fd5d1e548c9b

SHA1
c0605efed936ee2600284e6480521d06fa64f872

SHA256
db74ab0b78338c1f778f8398c45f4103c99aea0e845a3118a7750b4eeafd3445

SHA512
f933cd352eaba92f509b3863353ddfefadfada26a4152ecdc4727d450bbf35e7b10fb3038fe8db340d5c63d74e608c1560ec84d0f6ffc8ccd940c9e0d7533544

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\folderselector\dist\static\fonts\element-icons.ttf

Filesize
54KB

MD5
732389ded34cb9c52dd88271f1345af9

SHA1
8058fc55ef8432832d0b3033680c73702562de0f

SHA256
a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2

SHA512
e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\css\app.css

Filesize
107KB

MD5
6c8e8b5a40bcaa65db2e23600ba58515

SHA1
ed5f39576a2ee624a187a8ff09b7ad9f9bf5e1f8

SHA256
9db4c6bc8ce25c712d19d676f2157e0fc401bdef21111e27317f89beb610b9ae

SHA512
61aa411e3aa8f889bef7b89e0bdd154ad81872ce48fc8655687fc6ebec3e22e2d8ff641be26787a6ea714c8ac2c257fff5b064ffd7cc41e573d9a7beeaeeb472

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\css\chunk-vendors.css

Filesize
279KB

MD5
a3964e72421a1ef5fb60c6e17eb5d705

SHA1
5dd9584be5141e884a230c48746e1c88126b0a55

SHA256
64a207f1e9e24bd26d83e1397dfb94a155b46e0589ba5f002f1557072f3c21db

SHA512
4ce4119b7407b460969041809354c4ede587047ee643f2897eb0ecb9627608431f43fed27c54c70bacff3a6694eb32a85b535c7d6397ac22d7d28e260b0a5467

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\js\app.js

Filesize
369KB

MD5
6ea825d75755278734ffd07e89867e6f

SHA1
bbfb8d7b5a35d697681802e9360eae6291e44d8c

SHA256
f1735c87cd85eab083c09f1b14806e09caea6c658eed0bcc1bbf18703563774a

SHA512
0dcb7003d43696287283e3eafe9cca82a9201c020e33a6f6cad0731a98270b39add4e7f24ddbc2eb4e2fbb740233bf40a986f6ec2b34ba10ddff0a26d18f934a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\js\chunk-vendors.js

Filesize
425KB

MD5
81e2ef7adf3c6e9d46cad32276781716

SHA1
40c5689f4131ddb609f6dc31b4220fb3413f1636

SHA256
1c877f69fa5fa07362ed4c0c7e6eeccde6afd4d67da9d38058cdc81809524e40

SHA512
caa109ef1a804c6d9a4e9325602bfea6753260097b6a457b7dd0abd8dc4be85bc3454378ccaec966d215fd3f4bd08375e8ce3d893e9984477da360b944f3233a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\cfgs\setup.cfg

Filesize
434B

MD5
91027e04a38e7386430ee7373ca494a6

SHA1
713030a07795edd4a483e10c17b0be4d1443ec25

SHA256
ff95eea5ee0acf780edf3d40d36e366a56d1208e210b1d1aab3f8405086c096f

SHA512
4f4b256002c469b83c1ef505cb29cc22bc4ae2bf6da9ebd8fe5d904df0e8227d8ce033ea37eeea5129b997d2d7e6e4e5ed5f43f339e5bd30548092d663d1c677

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kbase.dll

Filesize
177KB

MD5
6b7f68bd5266066a6569f15bbf1cb69e

SHA1
c7a22e1be947551f7b0f2d308c9f75b1ce34c08e

SHA256
b6795557aaf6aee42c715515c73e0a014b6ea39175fd23891c8d9b84c8600fc4

SHA512
4a26e7927f3f6dd156ade32371ffe9434abd3922dc50bd3e0e45598ac0c6f802cac69d04bfe56d91417f1afabe565fbe6202712825eef2f75daa0cdff0f61bd1

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\krt.dll

Filesize
1.1MB

MD5
339da30bbe05f7d0ee0b000c88c76fd9

SHA1
0c5a608fc342f8645008d6821ee0d2959247fec2

SHA256
ba7dfb36ad9f9657340b9814c4ea44a3e2247565d73751fd3e433b1049ffc11b

SHA512
cb0438d746de953a31a4baaa06b8069624a10b18eacddd5013586cf9d9477dca36f3e3468abd748fb8a836b9b0c0a93784c4865c617d87caa9162d785d03f621

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kshell.dll

Filesize
23.1MB

MD5
ab5af1e05f6409e81950cd9e83d4a222

SHA1
13dd78eb2120e9ddf4220fc460126cee8f5edb3f

SHA256
81fa80695baac177b6caac998b35088ffb829e159e19dffa24d9366ee33c1961

SHA512
8223a102a7ba2205e0216d2484dd677ad88cf9a087560ed7cb64f785929fd6786aeec2ce59ddc052b7f9934af20f9216279b42a242cc34683e6a17bc82c64bf6

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kso.dll

Filesize
24.8MB

MD5
eefff9b8a4b745af6c3e340dfce18164

SHA1
f21265e578dec02fc1b420370faf44be81550031

SHA256
58700f755a8174054ad8a0984b77f3bbc34c72c3d4409f7fe41172a8a21e3250

SHA512
0c4b0c98f8a9c11f3e2560a0ef99ffb8ae4a6ed6df96dd8bf2e9fefb033361cf9110fb01e97031904c5c98cacc60740ba1a00bba63c33f8cacec4498b9031980

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksolite.dll

Filesize
10.0MB

MD5
8bf61dce1196d5733871e2f2becfe7d1

SHA1
8d0579aa417f9fa580c1b8f57d6d1314f18eb967

SHA256
f4cea14ea1545929415d91647c71794f6538a274ba027ff58b56d143f9734937

SHA512
17b366c1d7143442a1239402f75968bec894822a102ab309eb8b261eea2f7ccd9e7de306f600355e82f0198e13a00bc4059c778234e2ced91c4d34bc34499534

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe

Filesize
3.1MB

MD5
7cabafcec3b852222a2461a8d289d4b5

SHA1
8adee50735a967635bb75d82a7af01dc94b6e1b4

SHA256
7a561952cf8c3f6a338da6bc65184c6e807553aba5e3101023f59abc8ef0d3ce

SHA512
1580bbacf49ca435941456f435d696bcb6d756b6156b33cffa084b921dead672027bfb81bef57fea45ddcf0d3a604be9227c054d892fadfeb74ab7f402608097

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksouil.dll

Filesize
1.9MB

MD5
949fa352b0afab7b8843fe52dec03829

SHA1
8e01db3e2f9b19650eb44a1005a019950254e743

SHA256
acd5454e2ba5c9b20a8b89f4fcdc249aa848128d1f4ff0c5520566c044bd8518

SHA512
4b6086714157dc64fb37cebd413a907371f4e227ce91fa64f1c5db8c0f0067d8ed541ccd116b095439553d0399c88054c08fc5e1cde1ab060c2a06eb15e8a63e

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\kvpins64.exe

Filesize
353KB

MD5
89497d9b3dea9f5a88c210ba64c371ac

SHA1
9aee01a76b4a82315f96a455862396307199e03f

SHA256
7be0fe53389f96e4d5647b061da7a2e0f518ad621bc0ebe94978823224e74662

SHA512
6e0662e1c8f278183b7f40d888adf03b5c6fdf5cc4a3c236a37c520b0682c66646c1020a1424c478169ea1bc335ae5b1cd69ad633a5ecd92d234d90b448b203a

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\libcurl.dll

Filesize
519KB

MD5
a1f7be2df27b5df7b4c5ee5a9ca793cb

SHA1
ddcce48683694db501b26ed0c143c8d14abb6e66

SHA256
5e7b5d18430429bb83cc81567d19c1e4567bf1e329b73e41f4f1406e7d950e8d

SHA512
0e4696a949b2c04dd31a371e6a65cff00833c1a5671e1017b0f334b92c094387e12fb427cec13701822c7f8ce9f4ca2529839d838fabaab308ba9b265142d26b

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\mui\zh_CN\templates\Wpp Default Object\Preset Slide Layout\wideLayout\presetLayout_16.pptx

Filesize
45KB

MD5
17ea9186a351ccf5bb9e8608077f40a4

SHA1
713a1fa1031245c639080b5708f2c40abaa41f4e

SHA256
0d83ba0a38951b5e06fd13020514c96bdb11688e7739b713b1d7a70ce4251101

SHA512
af8f4c5d3a45038fe6bd8ac8632de5a21af9324d8f4be6cab8a2dc03fd3f38747983c7720798ce8e4ca1234cf8b13cb7d475de3446ce08f4f6e76af0ab64a40f

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe

Filesize
904KB

MD5
c5768ab883d310b72e3796d334a16269

SHA1
9b0c3e2f83c66112501b82b751498d74bcca8e2d

SHA256
6d1cafd178007a0da59710a5c68a77eec389c00855e6e8b558facd4322d51c50

SHA512
0611e9dce683c69fd4080aed2e29956f84ee2731809b22424522b65a2a559b24e3d454c4a992b39980310b77a0357f2487066929828aaa09c3ced5e49d7db7b1

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\utility\install.ini

Filesize
499B

MD5
ff7f70f866e51eafa34e1a6e2c01a036

SHA1
229dc211f6bf582a23e4b87dbf391fcccd618637

SHA256
ec54e0b3d965e50566dd1b8fbfa85fe34c290a0fa535f01d4e750df48473a713

SHA512
61b485f3da9d0cae630f977e61a020cb232b51d47fa9cc5edca4aefcfe7179be724b9205c4a531f3947e64455aa8b47c5be255853628b4ebc7fa99a837f48103

Download Submit
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\utility\install.ini

Filesize
625B

MD5
2f821a348ad9833467a457c149634e32

SHA1
9e8f2e87c0159bf02e512fdb6476f427810f012f

SHA256
33252dca03283a5e492b3a6cb3b54c02528ec79c508db297eeee0a8811421ec6

SHA512
071dcb9844d2a4e7b18245e42db461944da354b4dde0ed2f9fd1fafcdd3d10e5e658045495168a0fa83c0dfe5ca8791208cc72d583571d1630cdfd4e5f04b5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk

Filesize
2KB

MD5
7cb0d32f24aff45146668f7d610ef039

SHA1
8fc84c14e89f38fc748b1e6656e80d879590863d

SHA256
788396da64013cec4c9afd2ccb7971a82cd45ef4d002c460d910b4523a19a9a3

SHA512
4036d66324a5b378518b9089a52e8682ffd175dee9c2d51a2f13b02fad0ced8c4ae2104a7c0de419e02bc9c7a16a41366b4dd40dfc02c9b1d82deabcedff7c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\AccessControl.dll

Filesize
13KB

MD5
28c87a09fdb49060aa4ab558a2832109

SHA1
9213a24964cd479eac91d01ad54190f9c11d0c75

SHA256
933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f

SHA512
413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\v6svc_oem.dll

Filesize
192KB

MD5
500318167948bdd3ad42a40721e1a72b

SHA1
24134691693e6d78d6eb0a0c64833c12a0090968

SHA256
d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6

SHA512
0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\API-MS-Win-core-xstate-l2-1-0.dll

Filesize
10KB

MD5
b74d06f62cd28683b35052715273f70f

SHA1
28f0ff95c64faa31eafdc4e5e95cd7dbeb54ca22

SHA256
144eb756de343fcb063034e9708cded52fe7f83ac3c94244a8de9baf95fe954a

SHA512
fd20a4342d365396c950b7a1c1b9672b4151fc1097af3abff6af9e0723f8bfb0628ac8cf3cdbae466fcb78ad5520ce5ef7a76d76a86f889dfa98b9a4d2fc032d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\Qt5CoreKso.dll

Filesize
5.0MB

MD5
78fe966f7cf2fba8b747edbad9946d13

SHA1
184c29513bfa6b32d4156162d6bda507fbe9fbff

SHA256
915d10d462955a7d518f89cc745df971584603e43a360d8f51ac56ee2d2fb365

SHA512
ed0f1f365d719e69fc1e04c40606ec09b706ba346491a21321062714865547f9103cac379a4cf2c9b2dc378ea0510d1e4cbea17d17c715e1dff6b9293583ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\Qt5GuiKso.dll

Filesize
5.3MB

MD5
a35e999396ed122f3e0233440fab996f

SHA1
a1802754a81d8c6bb69dbcec27b38d212d796f14

SHA256
c972489efff452a167cfc91f5f38df2097607a3f4c040ed16b6e048c74e8cb29

SHA512
0561c1975deda555610621c407637380dcde9219798e118676fa090e4f23aa5988383c548f96851d8262ad0f9b1a0421bb19c87e0821adcef6e3e3f63401e4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\Qt5SvgKso.dll

Filesize
392KB

MD5
e3f21b8fff7a1352cb346b5197a02bf8

SHA1
0fd021bf2a1710edce1041d6a64c6553224d6409

SHA256
3305d301ea5e30574bc572ce500e97993a691dc74d476032ef34267bc4828447

SHA512
851b33d649c3e7a41d2c3cf550801f458f349ec7407eefabd2d7490d0e06a4ea55202f457987bc9e2f34f963de8640e705884f3e79fb42809172df819a0cd7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\Qt5WidgetsKso.dll

Filesize
4.5MB

MD5
1e8239fc7fc5fadc4282a6fccea81a96

SHA1
63d4d12344b3590c2c91b7a82438ffebb8adbef6

SHA256
17fc9f28b4bf41f4b66bfbfe5b1546b50425b573ab448fdfeb6694d55e02129c

SHA512
4e6e9ef83197ca8f9f1b54baaa5662a5b45f4401068522b25bc6a0bc2ce5535b4187736fe99a0254a8d4e51e329348d77de818fcfa07f89f4ae6d97d9cacd2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\Qt5WinExtrasKso.dll

Filesize
217KB

MD5
7b828f73ad6cf42453bb51beb6986bdf

SHA1
e59fc400ea2788dd7706abc3ca642b6eb57f9c04

SHA256
5c61dd388ed746ea4b00c885e7f2bd5bbec5d2fc76733d7c264e4e6937cffe52

SHA512
de8292e41930165df87ba1556724980369c9f74932f48157b5007da313000d3aa5744f8025d8c7ba90f060b9fb99b9915613e2481fd928d1b2d495c399202011

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
b951011ba021c374455e8d1e18af84d2

SHA1
2d2e5e097ba5d92e6977cbb23afcc60b2e1d1c8c

SHA256
1c057286bdf0cb90f7dd1fecf5e8afbcff1e27f2a94612967c0634ae639ca43d

SHA512
bc7007ea97647b53a62561c7eafdc292478e2d1dd9cad9f84a3641eba5a57184274fd992f08a18c7f9afa82d5c37a15b6058f147e88623d5d0f5b962931b3850

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll

Filesize
11KB

MD5
c26d7d913fd245afc0f0d658595447dc

SHA1
b5e00a0516b6c8c6f6a51ea40fae1beba3dd49ba

SHA256
73e4264dd66696163fbbf868729841f2e9b86f5a59912e64fb9718a8c889a7aa

SHA512
f7e22751671ef8f5d9768cb96733377cd5f38cdf241503234f69c4c6ac9348416c1a7622d7008fc1323a8673359db9e0bef29a4fec7853c5b5fe0b94e294471a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll

Filesize
10KB

MD5
7435c7831c7b3b47e55701e5c6cca67a

SHA1
8e0fcc170f5d66beea796b38cd544a045375204b

SHA256
7ea1c2902a47fcd4a30180a4fe5ba5800fcad76b63da5ca4494e24954cea9bd3

SHA512
453fde0df6bf8867dac38e1dd155300a4fb3ab88a20de3420f14ce2c05d890459b767671b23d21422c49ff1aebb9ea84b47bee0e2b2305a7af1314393de28267

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-debug-l1-1-0.dll

Filesize
10KB

MD5
d05f970cf2bdb0da0a1bf33cbc36b53d

SHA1
505b7e21e237d7f8c454bdfb37b19932ae6980d3

SHA256
273516d86d92975ba14f0f85bdce5b81f75f8ba76e08e33575c67f34d7236775

SHA512
62b843ea200fee7868482de417048458c304a218ccacf44b70e0026bafc5e37aec4e7ad2c93513cfdbaa06e5ced7a826fa4701d27d6fb9eb81f183335fa182d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
7f3c75a78482e1ea21cdd81055b3135f

SHA1
e0fa94d72626531aa971c3f1385f03ded6bde6a0

SHA256
50347ffd660720cb1f41691be2793d00b169c864f7260dba1966a8ce5c9da943

SHA512
925ee75ea5261de55d50e0c72de891833e20975b06cf9a1712385c077fef4548639d629354969cc8d18bc7664b6b3e03ffd11d08965e2fc94b3a11d3de6cf839

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-handle-l1-1-0.dll

Filesize
10KB

MD5
d65ef6902015757c4b5e2b550c233e1d

SHA1
8b3a44beceb81727071337a9c9e7d0f3b1370455

SHA256
9f2c87a8f541fd2e563778208c51f1e1852d4874571b6c5218066c0d58f9539c

SHA512
01dc60cf2d8f902848a4234cb97b12329d813f836786407ee090083a9fa6750df7f6b4db6d3496a873fc352bba4edf109ea6d5811d124075d8f3d21008c96773

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
2f68cbb35c4c8e66c7d1a8b6c2079700

SHA1
2acb3bdfb7209323d586866e276e152d540d5ae3

SHA256
96509b560bc604a30af26e08d6181d24dde1d51bf3654a12cd663a4ba1a11eac

SHA512
d5886e85abb2b2b4dd0d632e56d7f056f58374b774769bc83dc84f734827fc87b91d85f609f6faae3e3c10703716b31d775ca7f5819a1f719a355a154a8cc1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
ed6d551457d8a41b48bf017b79765e27

SHA1
fa1609389caea2192f37017a23ec66e0c7f21d65

SHA256
7733252eb66a1f3ce0efc5c375fadd6fa20a596324658c72d4e707f67909a433

SHA512
a0fb6d1420c9a74266c368f246af06c173379c78f0ac6eb676aa95f5c41e9b12f52fc32ec79c89d1cf4ea67c0a8d092d0ca3caba651188598a52b1a2ff2f4c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
10KB

MD5
d8873df4158c5d449f13fd32442f10f5

SHA1
52c9bf4137e466124eab9aa639671795d05125f1

SHA256
04532aed545a391a9e95d6103a816ec5d26df14af51f51dd0c649ddd57862e5c

SHA512
e52876ca557755f50bdd3f9adf124a6a562798a725480238f747348c9f81539903f8a19eeb00a61e50f5fde6e7acc8e613b4ba94cc0d8facc2a91f98078997d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
11KB

MD5
0a34f6f91287218a1d451999957701b3

SHA1
05727b747b29845e025d2efde0e43ee36927439e

SHA256
ed755e302cc2a9f5d3cc38140a90697c6bb24965acc6cdaddb63e95c3d2cb9bd

SHA512
24d69f006cdfb91182e3cf9d917dad90353c5824cb19a00a9c4dc9feff0a279a32750a83774a5fe4f5e863386e23efb96a0b54a82c551f28822c6df410eebed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
1672a33674cbaf42b3eec20d52930bd9

SHA1
f6e3da76e7de8a0d5f2e254b080ba973c92ba817

SHA256
a99b485112b305623ec3c8ea0d4c9acfac0c5c66821d4a98cde7b43edb8b78fc

SHA512
7b405243d474706c192e3e3b67ff61412adf41ea3bbbdcd5281aab2e7bed01c0c83a09fe60c0a0274d176a3aeb54dc0406dd044e002b8a447503c6dceb34d237

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
10KB

MD5
83cad14da9e92a8baf84a9afe2c9a5b0

SHA1
14c89f2ade657eb9249b95f9290fb4284908c9c6

SHA256
a45a7143971e7f8bbe4d5667927e3ba0fe5d0c025ef5d776ff8a5826341a99cf

SHA512
a5e93d77555e65bff5d47b2d6e9f7668cc6353a815cb1b11eaa6910594d53a9a2a538b8fe6b89cc2589f0dee321215039c012637809fc513b39fb902c02fdb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-string-l1-1-0.dll

Filesize
10KB

MD5
990cba52bd41c096c79778188dd63a15

SHA1
4a902cf7e4500c736ab4830e762cc1e18bb224ec

SHA256
0c1cbbb4630d38632ed6a5bae9ba7e06fe19433f2a5bd548f3d73f315359d79e

SHA512
1ed847989d02ef2c57edbd4726d818ea4bd811a255873765dd6090b9f8b204dff3610e887979ff8016c9b40bdcd2eab39ed064bb0f5f4447a94d56ab24e5183e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
eb6f7af7eed6aa9ab03495b62fd3563f

SHA1
5a60eebe67ed90f3171970f8339e1404ca1bb311

SHA256
148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02

SHA512
a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
11KB

MD5
d4359815e2a7f10b4dd3ec3945eed45a

SHA1
4c83bd868c963c3afa29d92f75d185ad612c9b11

SHA256
328dff5738e59b78e2951920efcc69e97548c8081f4714540b4e723443b8feb4

SHA512
09ac1040e0a9edd8562c4b76430c82cc25ca94634a9c632803d8bc8eec6ac34d9ad5fb6509416bcd970accb6dce27730bcfeb1ce29d0920c84cc2daf5102d627

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-util-l1-1-0.dll

Filesize
10KB

MD5
e0727785f827d39eb167749227a316ed

SHA1
c063a309aeff016f0a7d728c44fe169ce6da12c5

SHA256
e4e4e55abf599d1a9ef7b95da0d7fd37f23a6cf1d368a77f88390eb2e0c1340d

SHA512
83c2bc0f3049b619bf39a8cd6b5fa1ee1346ada2075e7495f264360a62f6fe7ddaafb382b60dfc18857c981c584c750a0b07c1d5d81410a80c296fa1b276ad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
a76584c4923b1be911d9ece4ea439116

SHA1
e025b0afc3b9a8046f83e5df718bac4ad05c9c2c

SHA256
3181c520d7ab831c8ff330afe15ad717a5a1ed85b5d91b50b838be1e5c96d052

SHA512
9e701066b81979318f41ac54ef4e1faf7a5e4cfa7482e61a60717fde10bba0851bf86f446f53a8bb26a1df95405cba0969648435fff3368bf9c2fec9ffc333be

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
50b721a0c945abe3edca6bcee2a70c6c

SHA1
f35b3157818d4a5af3486b5e2e70bb510ac05eff

SHA256
db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d

SHA512
ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
18KB

MD5
cce453c53f6dac9496bfa5415cc92731

SHA1
18fee669be0aa8a1839a75a167980f3f246c93a4

SHA256
50752719a62627e7a8d2c26970fe59af839692d060c009fd0652325362752659

SHA512
2cfe07c602c2e6205a2a2aa0de4ca8e105c9973d14b9d131a6372ba54697d17af7c84c898329425a3d19fd6c1434bcaf162ca0dbc5f0d20cb5973c63aee6b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-private-l1-1-0.dll

Filesize
64KB

MD5
1f72bfe2fb7bb2a403efda6ee963d259

SHA1
bcfb984771542970488bd6132dfa2746267b7fbc

SHA256
601ccd84d252fc6e024b1319902e48cf98bb922bf7799384a85640d5ce6f4a16

SHA512
e47c4c7a939d8e1022b6ce41ca15b1e3e4028f3bb302d1836bbdb3ec8d0c0141dd79ff147e6dc7fe56e09ab65dd15385362ea190d8792173674660a33acd5d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
108433c271995786a8289afd611ea28c

SHA1
ba58c577311e39ff7e92a6be0dd6b80abfee6edc

SHA256
4c058e5b8f83ce395a7004d8c4043735526de01c5764242d4ce4f683dcf1425c

SHA512
800bd7a8702905fd9be83f17087440228f1428237d202160a5618aa6cfe1d1aad3c2608f324db38d235348bd2c8682f55d8ff52d13f9c37fa7c32d64a967db77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
d0b6a2caec62f5477e4e36b991563041

SHA1
8396e1e02dace6ae4dde33b3e432a3581bc38f5d

SHA256
fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf

SHA512
69bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\concrt140.dll

Filesize
238KB

MD5
4cc02ba9d10b18be0a02e3555aa78a98

SHA1
d1f63d5aa58b0b7ea1925dd3447861b3faf8cd8e

SHA256
1cddacbfb0c61652fcd543fef1e72cf649e27f3ee8f0d1c0d3988c0b5093e74e

SHA512
9d345573ec7a55aa06414cdd5b23e9085d016f4e9eec10581f93109c12e51603f39b01ce5539f8b1d16086e92b94baba05ebe45e9556c96a6b439c97cb82dc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\dbghelp.dll

Filesize
1.2MB

MD5
56d017aef6a7c74cd136f2390b8ea6d3

SHA1
46cc837c64abe4e757e66a24ece56e3f975e9ef6

SHA256
900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920

SHA512
7b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\kpacketui.dll

Filesize
1.9MB

MD5
2ab0200912ffa7d8a6c1b68c2e38cd2e

SHA1
44cad0fa714c9a4ecbe8081382a7c6b033f5c635

SHA256
4c7a2886fc4664a97534afc99f3a439a085ac2784660ddfa79dd7b55769a3dcd

SHA512
e82523f0f74f2eca9e49456dd3bfc644bd75efb80a8b8e0c90815f41ef6b87720f530e1739768661a83bac7f8c5878f7b45eb684ba7ea2db04b370c4d88b7e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\msvcp140.dll

Filesize
427KB

MD5
db1e9807b717b91ac6df6262141bd99f

SHA1
f55b0a6b2142c210bbfeebf1bac78134acc383b2

SHA256
5a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86

SHA512
f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll

Filesize
61KB

MD5
bca06db91a82a5ec364bd16699305a51

SHA1
4ec7cc816dde8f133f04245042b9ef33d048e668

SHA256
a51b9ea43708101a94da0c703d932bca9dbf116ac16ff9a8158b0ed5c594cc75

SHA512
17a78b74ad1c10a450004763a39d23e0984cfc5a1443544a2016c655a7aec22c3b0ecdce7c35d6cf9d0f7082f1f2b4b10affcb7cfd474bab49ebf1869fbcf8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\imageformats\qsvg.dll

Filesize
41KB

MD5
afc29e1baea327510f5922a6c739dc25

SHA1
21548f69ff63221247d445f14b2d76f3b152d098

SHA256
039d1a856bc9ab91242b30de33d58ef031ea519dede44d9f69a94177691f4bb6

SHA512
c63e48e1b9388505b21027c5e0ba3cf0933d4007b5b19d90ce48c84253ba569658f94b4c0437b592f4d08900127f86713a12607aa14aff73e3ea59cacda714a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\platforms\qdirect2d.dll

Filesize
1.4MB

MD5
0daf8bccf091f1b24bbb818099376fa2

SHA1
3f8dab685aa4965ec8bfd9fd5eee936b603392be

SHA256
dcf05308ed15e9845c9b0251fba36f817a5a9a51c5df3fddd98b9d5e49651718

SHA512
b773ba98d7e28d4315a3d1f63f4cc35256e4df7694885b4698b9af737026eb7f3041fec22ff4c52a5b8583669af085e356f72f4e7cb1c87b866f4bf92b3fe796

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\platforms\qwindows.dll

Filesize
1.3MB

MD5
63f417b05fda561286a55247ff9e69c7

SHA1
55d7ce68b362df5783e64c70bfc5670fcedc26a7

SHA256
3a84a253b230fe3e2d957dc19803d51b7c68b062de6a9e5b187900d42d7eb1b9

SHA512
094c29702c6085d2af447565c976fcd52497d878a70912fed85b3a41f94c2ffb6bb3085bdd766b10e27443a82066102ff8bf074175b3bc7ee44c7d5eec4ec92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll

Filesize
145KB

MD5
4aac3b6bc8ddf0fb8d0f2b5cdcfff5ad

SHA1
e4ac73f45ca6ce08c4e02741a20ff86c7cbb0b07

SHA256
78d9cf2832cc261fbcc8467691ad947363b66927788bf3a90fdabb448999bb96

SHA512
7befa3bffe3220efff1723574ef14fc8d778754900393b77a0aa207bbc42e39b85d79ff6d6e460541d970a1c98c3dbf26ef00156299ae8d3ad63f57e8bab448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\vcruntime140.dll

Filesize
75KB

MD5
8fdb26199d64ae926509f5606460f573

SHA1
7d7d8849e7c77af3042a6f54bdf2bb303d7cd678

SHA256
f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c

SHA512
f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\product.dat

Filesize
101KB

MD5
f6e9f1463fe638ab89b015d80066f0f0

SHA1
420ab30d4ea3a099dfe322a65607943ef2ee80e6

SHA256
82e478a56b0af1a925117eff4c55c41b672831a45ab1f18d53fe361c5ddd1707

SHA512
a178552396124d037223502e02f25406dffe4b6893c46835f9b606a60adb2324a7bf200511adaf2aba89c04742c3fa4497c1999655f5b94358aa000a5ca3d841

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
382B

MD5
6a5eea749583001de63b993fc66496ba

SHA1
fd41691ec4751e85be89917d46454f8533800b4e

SHA256
bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60

SHA512
6a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712

Download Submit
C:\Users\Admin\AppData\Local\tempinstall.ini

Filesize
428B

MD5
5e1b68b67986b1588301c0135f19fc7c

SHA1
957ea47285f7d903cce7530ee34852435de5b5b4

SHA256
23456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc

SHA512
268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\nse\language\zh_CN\ts\nse.ts

Filesize
65KB

MD5
557007e25e8135f468079132fbaa673b

SHA1
37635f4a81c806b56f0a93439ff032cf4bef51cb

SHA256
5f8bb106fb375c649d462335e53c95dcb95c046f3acb73b08027690a6a2d45f1

SHA512
4a12db74deddadd7973f0c23836ac54695a9aa198d87db489007004346c807e1fd927609ac49143c323f0d7420a657716484d3d30d741ac6bc9b8624dea94fc3

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\nse\language\zh_CN\ts\nseresource.ts

Filesize
11KB

MD5
1befd5e4fbcb72e59fab8a8c1bc8c6da

SHA1
05122eda3bad0bb5d709bf31f86586a058861df9

SHA256
af91437f157d081de183478c519b7a1770ee61cbb7b92643ad5ed2171cc8502b

SHA512
b6f4e198a0c0920d0b62e9355ff4f68e2efa9b2ef336c61c5f972986b451d4658a40cdb1b0a7bccdc223dfc32c8b3d87db2fdeb7fdeed641214a96f5003b331f

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2025_03_28.log

Filesize
3KB

MD5
2daad98bc389be021ff94fabfa2c6d11

SHA1
aea46b3dd52ea6615a56ac8d56f04ef8158a5c82

SHA256
721b392c99bb75910787a8672e18c1cd7e1d30b0c54530382e1ddcc02efa1c23

SHA512
49e8929adbb32f06876d128302ad5cd40e26f465389e5170aab583a73d9f510ffdb9596bc7aecffe09c1337f3ee88356b2743c06e43a52bddad0b9335bdccc30

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\ksomisc\ksomisc_2025_03_28.log

Filesize
5KB

MD5
2cb2074e608031cdd6fcc05fe473d460

SHA1
8ea40250dc209bd74c26b304408fb26f729928a9

SHA256
269fd048a2193665ab6f430527b701435457b66b246b7841b6502dcebf45541b

SHA512
afbe17632a293cacd7777b74170974063c87dd583425b2681bd695f71f8e86a60199e903bbadab3590cde560c213c4c56c381aa4505f65940ff7c14cd8374237

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
7KB

MD5
294706f00e2d53fba108df82e867e687

SHA1
aaa39ad9726d0531a2f0a617ad628306418837b6

SHA256
29db2ce8ff693c9047a14acc5a6ff24939c00a6d8e385a1117c805db368468e3

SHA512
6e2e896912556b38dfdadea95975d8b59703fe95957b95eccf9236eda4847e9855877b941aa34ba1dee89aea407ae4e670ecee4f92168474e957c27c7d260982

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
8KB

MD5
36371f489820cd134eaaafef826846dc

SHA1
b67c6658c2543e828519c63eb04dc15a7f617dd4

SHA256
56da91db8859098fac76d992ab3835ca2648ec9dbff7c3584fc2fc3a5d9c52eb

SHA512
1bbe1ca138cc9180c5e0c9e894babe5835add9650db52d338f0c0c4db0c81fbc5fdf3948c46ee9fb4a2478b9b8fdc66e125b9df113fcf55f23e3b65c986eea62

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
25KB

MD5
d483055cf739a3c9da9c8f09a788ed4a

SHA1
0e4aa51ea97885d67d4dde0569d0dfbf05a5621c

SHA256
acf53ff1eac3159c48c3daa795c2ef77959e35389c7c030c445de76b76188e27

SHA512
bdf5a260522a982ea4d0a4e5106d217b60c64fb8171af6173085c1fb4612f134bca01778062e8c805bf903bb480b7aafe0dafda07e6cc27b747ee89d78376102

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
48KB

MD5
69385374da23234e34ad7565c83e65ab

SHA1
63350cb0369361509161d2702791f4ea70fdab46

SHA256
4dbdea3faa239faa2e38007573be6cd6dde81c2424ae595f19047532c81ee073

SHA512
8ea78a1b5e9c4878be7fd2638019284e6a3c6dbbcf16b95762edce118ef4ecadbab995b1ee9830d07478148d0365489afe28325c1ac527293ae3f3494edcbd91

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log

Filesize
57KB

MD5
9bb5c9493e8fcf52ca31645241904992

SHA1
58fe111fb923294bf7315c7151d86f6a31b4ca19

SHA256
fbc3e9d76bafec3097320927e23f5d8847adc8a89b1aa1e5d1b4f2039beab02d

SHA512
b68fba5a284cd8ff5242813d0d81208b33eef18779659bd33c71e792c2d63957784ca8373ef1e3c2b1bddbdaeb4728127a6b9f5ea14aad487ce755cc9a50c8c5

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat

Filesize
64KB

MD5
59a44e57167a858bf4256544ea4b4af8

SHA1
a0ec0b3082535069733cccca0264c3264c2ced3f

SHA256
d2681f2de97e7d23adcfd38bdb5673e45343eb80ef843f4b7b89d4ee4f41f830

SHA512
c1b05f6a84b0d8cd0d0deb8f34690feb73d67955eceac0bca48aee0cb3b43222b37ba55ef4b146fcf47dfed862cfbecabcb9491a96ef51c2781cd0da8aab90e4

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat

Filesize
64KB

MD5
82877c911e84864408d45da64a6acc5b

SHA1
f102ff59885ac2a0ea4a5c533bc0913241dcd873

SHA256
9480ce7c78f34ea3f0bf1382902c867080a3087e1e2f62550ae4c1d9c28cdcb2

SHA512
0c1dc08bd986e512f34b210f96167da8d2756c9ea4c15ba659df4bd88eb72353a31b64a82904025077e5039259c613af82e2aba57e40a148f22357d22196c229

Download Submit
memory/1232-5367-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5374-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5366-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5383-0x00000000036F0000-0x0000000003707000-memory.dmp

Filesize
92KB

Download
memory/1232-5368-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5369-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5371-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5365-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5362-0x000000006F060000-0x00000000707A0000-memory.dmp

Filesize
23.2MB

Download
memory/1232-5372-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5370-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5373-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/1232-5363-0x000000006C210000-0x000000006C98D000-memory.dmp

Filesize
7.5MB

Download
memory/1232-5361-0x000000006E650000-0x000000006F05D000-memory.dmp

Filesize
10.1MB

Download
memory/3592-5330-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5323-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5297-0x00000000702F0000-0x0000000070CFD000-memory.dmp

Filesize
10.1MB

Download
memory/3592-5357-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/3592-5309-0x000000006EBB0000-0x00000000702F0000-memory.dmp

Filesize
23.2MB

Download
memory/3592-5331-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5332-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5306-0x000000006C0F0000-0x000000006C86D000-memory.dmp

Filesize
7.5MB

Download
memory/3592-5329-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5328-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5327-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5326-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5325-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3592-5324-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5417-0x000000006F060000-0x00000000707A0000-memory.dmp

Filesize
23.2MB

Download
memory/3760-5427-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5418-0x000000006C210000-0x000000006C98D000-memory.dmp

Filesize
7.5MB

Download
memory/3760-5416-0x000000006E650000-0x000000006F05D000-memory.dmp

Filesize
10.1MB

Download
memory/3760-5423-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5424-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5426-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5422-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5428-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5421-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5420-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5429-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5425-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/3760-5443-0x00000000013B0000-0x00000000013C7000-memory.dmp

Filesize
92KB

Download
memory/4532-5318-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5314-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5311-0x000000006BD10000-0x000000006BD20000-memory.dmp

Filesize
64KB

Download
memory/4532-5310-0x000000006C0F0000-0x000000006C86D000-memory.dmp

Filesize
7.5MB

Download
memory/4532-5356-0x00000000030A0000-0x00000000030B7000-memory.dmp

Filesize
92KB

Download
memory/4532-5312-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5321-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5320-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5319-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5307-0x000000006EBB0000-0x00000000702F0000-memory.dmp

Filesize
23.2MB

Download
memory/4532-5317-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5316-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5315-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/4532-5308-0x00000000702F0000-0x0000000070CFD000-memory.dmp

Filesize
10.1MB

Download
memory/4532-5313-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/5596-5453-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download
memory/5596-5449-0x000000006C210000-0x000000006C98D000-memory.dmp

Filesize
7.5MB

Download
memory/5596-5452-0x000000006BD00000-0x000000006BD10000-memory.dmp

Filesize
64KB

Download