Analysis
-
max time kernel
130s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
WPS_Setup.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
WPS_Setup.exe
Resource
win11-20250313-en
General
-
Target
WPS_Setup.exe
-
Size
246.3MB
-
MD5
4b3226ecc1da133e846eebc9af9b915a
-
SHA1
46403afddb737e4d363446ff617475ae1bbfee21
-
SHA256
667b472a0672133a75304d8b64972ac18a14949a2fcdfc0fa7a56b319a06a31e
-
SHA512
4f9ee9d1d106cb3b02e150bd8a625b24cd5e486d62de843c00bd17009c6414c217a9f5c607530b2c88fbddfdea71ad7046634f592e37e9a7b7cdc7afd371bc4c
-
SSDEEP
6291456:LGDVFnDNs5uOY2MuZHl1aQgAxW/AZH97nlI7Ec:LkPD/3zubzgJsH9b+7b
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 61 868 ksomisc.exe -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 198 119.29.29.29 2128 WPS_Setup.exe Destination IP 223.6.6.6 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 75 223.6.6.6 4260 wpscloudsvr.exe Destination IP 223.6.6.6 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 76 223.5.5.5 2128 WPS_Setup.exe Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 201 223.6.6.6 2128 WPS_Setup.exe Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 203 223.5.5.5 2128 WPS_Setup.exe Destination IP 223.5.5.5 Process not Found Destination IP 223.5.5.5 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 69 223.5.5.5 3448 wps.exe Destination IP 223.5.5.5 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 119.29.29.29 Process not Found Destination IP 223.6.6.6 Process not Found Destination IP 223.6.6.6 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpsphotoautoasso = "\"C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.1.0.18912\\office6\\photolaunch.exe\" /photo /checkasso" WPS_Setup.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783E484C-5E48-457B-A361-2DB2147CD2B4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783E484C-5E48-457B-A361-2DB2147CD2B4}\ regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 WPS_Setup.exe File opened for modification \??\PhysicalDrive0 WPS_Setup.exe File opened for modification \??\PhysicalDrive0 ksomisc.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe WPS_Setup.exe -
Executes dropped EXE 62 IoCs
pid Process 2128 WPS_Setup.exe 2376 WPS_Setup.exe 3592 ksomisc.exe 4532 ksomisc.exe 1232 ksomisc.exe 5716 wpscloudsvr.exe 3760 ksomisc.exe 5596 ksomisc.exe 3880 ksomisc.exe 1184 ksomisc.exe 2044 ksomisc.exe 2028 ksomisc.exe 712 ksomisc.exe 3508 ksomisc.exe 4788 ksomisc.exe 1616 ksomisc.exe 5348 ksomisc.exe 4984 ksomisc.exe 1748 ksomisc.exe 1632 pinTaskbar.exe 4912 ksomisc.exe 3176 ksomisc.exe 2636 ksomisc.exe 3380 ksomisc.exe 4420 wpsupdate.exe 6028 wpsupdate.exe 4408 wpsupdate.exe 6128 ksomisc.exe 4604 ksomisc.exe 1348 ksomisc.exe 2412 ksomisc.exe 1212 ksomisc.exe 5052 ksomisc.exe 660 ksomisc.exe 5580 ksomisc.exe 5036 ksomisc.exe 4116 ksomisc.exe 4600 ksomisc.exe 3624 ksomisc.exe 2976 photolaunch.exe 5600 ksomisc.exe 5508 ksomisc.exe 5244 ksomisc.exe 4472 ksomisc.exe 4824 ksomisc.exe 3880 ksomisc.exe 868 ksomisc.exe 4456 ksomisc.exe 5960 ksomisc.exe 780 ksomisc.exe 2840 ksomisc.exe 6084 ksomisc.exe 1488 ksomisc.exe 1072 Kvpins64.exe 3704 ksomisc.exe 3448 wps.exe 4260 wpscloudsvr.exe 488 photolaunch.exe 3848 ksolaunch.exe 5684 ksolaunch.exe 3436 wps.exe 2368 wpscloudsvr.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 WPS_Setup.exe 2956 WPS_Setup.exe 2956 WPS_Setup.exe 2956 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 3592 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\ShellEx\ContextMenuHandlers\Open With qingshellext regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\Open With qingshellext\ = "{67F4D210-BFC2-4ADD-9A2A-C9B9E1F42C4F}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\QingNseContextMenu regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\lnkfile\shellex\ContextMenuHandlers\QingNseContextMenu\ = "{AA147FFB-0B1F-4BB1-9B1E-8D062B35C146}" regsvr32.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wpscloudsvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language photolaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksolaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language photolaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpscloudsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksomisc.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x001900000002b129-5210.dat nsis_installer_1 behavioral2/files/0x001900000002b129-5210.dat nsis_installer_2 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000244E7-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000208B1-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E160-0000-0000-C000-000000000046} ksomisc.exe Key deleted \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\ET.Xlt.6\shell\open ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{4632C068-CEAB-4371-A498-06E2437D3589}\TypeLib\ = "{D626EB73-B7C0-45EF-922D-0CDDAEDE12FA}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.dps\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{914934E5-5A91-11CF-8700-00AA0060263B} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C03BF-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0360-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002091C-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{9149346C-5A91-11CF-8700-00AA0060263B} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020896-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C1715-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000CD901-0000-0000-C000-000000000046}\TypeLib\Version = "63.1" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000244BA-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{CE015F62-05ED-4CFE-9B40-D5345BDC7B1F}\Verb\0\ = "打开(&O),0,2" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.PIC.tga\shell ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000CD900-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{E3124493-7D6A-410F-9A48-CC822C033CEC}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{45541089-5750-5300-4B49-4E47534F4655}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\DefaultIcon\.ksobak ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0312-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000CDB00-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020954-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000209B3-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020854-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{A87E00E9-3AC3-4B53-ABE3-7379653D0E82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{54F46DC4-F6A6-48CC-BD66-46C1DDEADD22}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C033D-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{74D13AA5-8894-4B69-BB24-61F21CFC8FDC}\TypeLib\Version = "1.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E16A-0000-0000-C000-000000000046}\TypeLib\Version = "5.3" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{0002E17E-0000-0000-C000-000000000046}\TypeLib\ = "{0002E157-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0318-0000-0000-C000-000000000046} ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{B923FDE0-F08C-11D3-91B0-00105A0A19FD}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{DD947D72-F33C-4198-9BDF-F86181D05E41}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020990-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "3.0" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.epub ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.Docx.6\Insertable ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WPS.PIC.ppm\shell\open\FriendlyAppName = "WPS 图片" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{B65AD801-ABAF-11D0-BB8B-00A0C90F2744}\TypeLib\ = "{A537E638-AB2A-4308-A502-2EFF280C6E98}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C038B-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{799A6814-EA41-11D3-87CC-00105AA31A34}\TypeLib\Version = "3.0" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00020A02-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00020A01-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\KET.Template.12\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Kingsoft\\WPS Office\\12.1.0.18912\\office6\\wpsofficeicon.dll,17" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{00024448-0000-0000-C000-000000000046}\TypeLib ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00020913-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-4B30-A977-D214852036FF}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{C04865A3-9F8A-486C-BB58-B4C3E6563136}\ = "DisplayUnitLabel" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{00024458-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{CE015F64-05ED-4CFE-9B40-D5345BDC7B1F}\ProxyStubClsid32 ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0333-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000672AC-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000C0377-0000-0000-C000-000000000046}\ProxyStubClsid32 ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000209DC-0000-0000-C000-000000000046} ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\Programmable\ ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Interface\{000208A5-0000-0000-C000-000000000046}\ = "TextBoxes" ksomisc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\WOW6432Node\Interface\{000C0308-0000-0000-C000-000000000046}\ = "CommandBarControl" ksomisc.exe -
Modifies system certificate store 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\PasspointTrustedRoots wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer\Certificates ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\FlightRoot ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TestSignRoot\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot\CRLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\AAD Token Issuer ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities ksomisc.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\OemEsim\CTLs wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot wps.exe Key created \REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs wps.exe -
Suspicious behavior: AddClipboardFormatListener 49 IoCs
pid Process 2128 WPS_Setup.exe 3592 ksomisc.exe 4532 ksomisc.exe 1232 ksomisc.exe 3760 ksomisc.exe 5596 ksomisc.exe 3880 ksomisc.exe 1184 ksomisc.exe 2044 ksomisc.exe 2028 ksomisc.exe 712 ksomisc.exe 3508 ksomisc.exe 4788 ksomisc.exe 1616 ksomisc.exe 5348 ksomisc.exe 4984 ksomisc.exe 1748 ksomisc.exe 4912 ksomisc.exe 3176 ksomisc.exe 2636 ksomisc.exe 3380 ksomisc.exe 6128 ksomisc.exe 4604 ksomisc.exe 1348 ksomisc.exe 2412 ksomisc.exe 1212 ksomisc.exe 5052 ksomisc.exe 660 ksomisc.exe 5580 ksomisc.exe 5036 ksomisc.exe 4116 ksomisc.exe 4600 ksomisc.exe 3624 ksomisc.exe 5600 ksomisc.exe 5508 ksomisc.exe 5244 ksomisc.exe 4472 ksomisc.exe 4824 ksomisc.exe 3880 ksomisc.exe 868 ksomisc.exe 4456 ksomisc.exe 5960 ksomisc.exe 780 ksomisc.exe 2840 ksomisc.exe 6084 ksomisc.exe 1488 ksomisc.exe 3448 wps.exe 3704 ksomisc.exe 4260 wpscloudsvr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2956 WPS_Setup.exe 2956 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2376 WPS_Setup.exe 2376 WPS_Setup.exe 2376 WPS_Setup.exe 2376 WPS_Setup.exe 2376 WPS_Setup.exe 2376 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 2128 WPS_Setup.exe 4532 ksomisc.exe 4532 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 3592 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 4532 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 5716 wpscloudsvr.exe 5716 wpscloudsvr.exe 3760 ksomisc.exe 3760 ksomisc.exe 3760 ksomisc.exe 3760 ksomisc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2128 WPS_Setup.exe 3448 wps.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2128 WPS_Setup.exe Token: SeRestorePrivilege 2128 WPS_Setup.exe Token: SeRestorePrivilege 2128 WPS_Setup.exe Token: SeRestorePrivilege 2128 WPS_Setup.exe Token: SeRestorePrivilege 2128 WPS_Setup.exe Token: SeDebugPrivilege 4532 ksomisc.exe Token: SeDebugPrivilege 3592 ksomisc.exe Token: SeLockMemoryPrivilege 4532 ksomisc.exe Token: SeLockMemoryPrivilege 3592 ksomisc.exe Token: SeDebugPrivilege 1232 ksomisc.exe Token: SeLockMemoryPrivilege 1232 ksomisc.exe Token: SeDebugPrivilege 3760 ksomisc.exe Token: SeLockMemoryPrivilege 3760 ksomisc.exe Token: SeDebugPrivilege 5596 ksomisc.exe Token: SeLockMemoryPrivilege 5596 ksomisc.exe Token: SeDebugPrivilege 3880 ksomisc.exe Token: SeLockMemoryPrivilege 3880 ksomisc.exe Token: SeDebugPrivilege 1184 ksomisc.exe Token: SeLockMemoryPrivilege 1184 ksomisc.exe Token: SeDebugPrivilege 2044 ksomisc.exe Token: SeLockMemoryPrivilege 2044 ksomisc.exe Token: SeDebugPrivilege 2028 ksomisc.exe Token: SeLockMemoryPrivilege 2028 ksomisc.exe Token: SeDebugPrivilege 712 ksomisc.exe Token: SeLockMemoryPrivilege 712 ksomisc.exe Token: SeDebugPrivilege 3508 ksomisc.exe Token: SeLockMemoryPrivilege 3508 ksomisc.exe Token: SeDebugPrivilege 4788 ksomisc.exe Token: SeLockMemoryPrivilege 4788 ksomisc.exe Token: SeDebugPrivilege 1616 ksomisc.exe Token: SeLockMemoryPrivilege 1616 ksomisc.exe Token: SeDebugPrivilege 5348 ksomisc.exe Token: SeLockMemoryPrivilege 5348 ksomisc.exe Token: SeDebugPrivilege 4984 ksomisc.exe Token: SeLockMemoryPrivilege 4984 ksomisc.exe Token: SeDebugPrivilege 1748 ksomisc.exe Token: SeLockMemoryPrivilege 1748 ksomisc.exe Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeDebugPrivilege 4912 ksomisc.exe Token: SeLockMemoryPrivilege 4912 ksomisc.exe Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeDebugPrivilege 3176 ksomisc.exe Token: SeLockMemoryPrivilege 3176 ksomisc.exe Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2128 WPS_Setup.exe 3328 Explorer.EXE -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE 3328 Explorer.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2128 WPS_Setup.exe 3592 ksomisc.exe 4532 ksomisc.exe 3592 ksomisc.exe 4532 ksomisc.exe 1232 ksomisc.exe 1232 ksomisc.exe 3760 ksomisc.exe 3760 ksomisc.exe 5596 ksomisc.exe 5596 ksomisc.exe 3880 ksomisc.exe 3880 ksomisc.exe 1184 ksomisc.exe 1184 ksomisc.exe 2044 ksomisc.exe 2044 ksomisc.exe 2028 ksomisc.exe 2028 ksomisc.exe 712 ksomisc.exe 712 ksomisc.exe 712 ksomisc.exe 712 ksomisc.exe 3508 ksomisc.exe 3508 ksomisc.exe 4788 ksomisc.exe 4788 ksomisc.exe 1616 ksomisc.exe 1616 ksomisc.exe 5348 ksomisc.exe 5348 ksomisc.exe 4984 ksomisc.exe 4984 ksomisc.exe 1748 ksomisc.exe 1748 ksomisc.exe 4912 ksomisc.exe 4912 ksomisc.exe 3176 ksomisc.exe 3176 ksomisc.exe 2636 ksomisc.exe 2636 ksomisc.exe 3380 ksomisc.exe 3380 ksomisc.exe 6128 ksomisc.exe 6128 ksomisc.exe 4604 ksomisc.exe 4604 ksomisc.exe 1348 ksomisc.exe 1348 ksomisc.exe 2412 ksomisc.exe 2412 ksomisc.exe 1212 ksomisc.exe 1212 ksomisc.exe 5052 ksomisc.exe 5052 ksomisc.exe 660 ksomisc.exe 660 ksomisc.exe 5580 ksomisc.exe 5580 ksomisc.exe 5036 ksomisc.exe 5036 ksomisc.exe 4116 ksomisc.exe 4600 ksomisc.exe 3624 ksomisc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2128 2956 WPS_Setup.exe 78 PID 2956 wrote to memory of 2128 2956 WPS_Setup.exe 78 PID 2956 wrote to memory of 2128 2956 WPS_Setup.exe 78 PID 2128 wrote to memory of 3592 2128 WPS_Setup.exe 82 PID 2128 wrote to memory of 3592 2128 WPS_Setup.exe 82 PID 2128 wrote to memory of 3592 2128 WPS_Setup.exe 82 PID 2376 wrote to memory of 4532 2376 WPS_Setup.exe 83 PID 2376 wrote to memory of 4532 2376 WPS_Setup.exe 83 PID 2376 wrote to memory of 4532 2376 WPS_Setup.exe 83 PID 2376 wrote to memory of 1232 2376 WPS_Setup.exe 84 PID 2376 wrote to memory of 1232 2376 WPS_Setup.exe 84 PID 2376 wrote to memory of 1232 2376 WPS_Setup.exe 84 PID 2128 wrote to memory of 5716 2128 WPS_Setup.exe 85 PID 2128 wrote to memory of 5716 2128 WPS_Setup.exe 85 PID 2128 wrote to memory of 5716 2128 WPS_Setup.exe 85 PID 2128 wrote to memory of 3760 2128 WPS_Setup.exe 86 PID 2128 wrote to memory of 3760 2128 WPS_Setup.exe 86 PID 2128 wrote to memory of 3760 2128 WPS_Setup.exe 86 PID 2376 wrote to memory of 5596 2376 WPS_Setup.exe 87 PID 2376 wrote to memory of 5596 2376 WPS_Setup.exe 87 PID 2376 wrote to memory of 5596 2376 WPS_Setup.exe 87 PID 2376 wrote to memory of 3880 2376 WPS_Setup.exe 88 PID 2376 wrote to memory of 3880 2376 WPS_Setup.exe 88 PID 2376 wrote to memory of 3880 2376 WPS_Setup.exe 88 PID 2128 wrote to memory of 1184 2128 WPS_Setup.exe 89 PID 2128 wrote to memory of 1184 2128 WPS_Setup.exe 89 PID 2128 wrote to memory of 1184 2128 WPS_Setup.exe 89 PID 2128 wrote to memory of 2044 2128 WPS_Setup.exe 90 PID 2128 wrote to memory of 2044 2128 WPS_Setup.exe 90 PID 2128 wrote to memory of 2044 2128 WPS_Setup.exe 90 PID 2376 wrote to memory of 2028 2376 WPS_Setup.exe 91 PID 2376 wrote to memory of 2028 2376 WPS_Setup.exe 91 PID 2376 wrote to memory of 2028 2376 WPS_Setup.exe 91 PID 2376 wrote to memory of 712 2376 WPS_Setup.exe 93 PID 2376 wrote to memory of 712 2376 WPS_Setup.exe 93 PID 2376 wrote to memory of 712 2376 WPS_Setup.exe 93 PID 2376 wrote to memory of 3508 2376 WPS_Setup.exe 94 PID 2376 wrote to memory of 3508 2376 WPS_Setup.exe 94 PID 2376 wrote to memory of 3508 2376 WPS_Setup.exe 94 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 3508 wrote to memory of 400 3508 ksomisc.exe 95 PID 2376 wrote to memory of 4788 2376 WPS_Setup.exe 96 PID 2376 wrote to memory of 4788 2376 WPS_Setup.exe 96 PID 2376 wrote to memory of 4788 2376 WPS_Setup.exe 96 PID 2376 wrote to memory of 1616 2376 WPS_Setup.exe 97 PID 2376 wrote to memory of 1616 2376 WPS_Setup.exe 97 PID 2376 wrote to memory of 1616 2376 WPS_Setup.exe 97 PID 2376 wrote to memory of 5348 2376 WPS_Setup.exe 98 PID 2376 wrote to memory of 5348 2376 WPS_Setup.exe 98 PID 2376 wrote to memory of 5348 2376 WPS_Setup.exe 98 PID 2376 wrote to memory of 4984 2376 WPS_Setup.exe 99 PID 2376 wrote to memory of 4984 2376 WPS_Setup.exe 99 PID 2376 wrote to memory of 4984 2376 WPS_Setup.exe 99 PID 2376 wrote to memory of 1748 2376 WPS_Setup.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\WPS_Setup.exe"C:\Users\Admin\AppData\Local\Temp\WPS_Setup.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe"C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe" /ThemeIndex=#ThemeIndex#3⤵
- Unexpected DNS network traffic destination
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -kccmove C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\\CONTROL4⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe"C:\Program Files (x86)\Kingsoft\office6\wpscloudsvr.exe" InstallService4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5716
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addFirewallRule4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3760
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regmtfont4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1184
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -setappcap4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -registerqingshellext 14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2636 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingshellext64.dll"5⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingshellext64.dll"6⤵
- Modifies system executable filetype association
PID:2396
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" -createtask4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6028
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -setappcap4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1212
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -assoepub -source=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -clearmso2pdfplugins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -cleardocermsoplugins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4600
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -assopic_setup4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -uninstalldatarecover4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:5960
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.exe" /i "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\Kvpins64.inf" /s4⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\kvpvbsext.dll",_X86ScriptHostEntry VBScript E8898119CEBC48D9A441A41D1B54BF58 1 Uninstall /_X64Cast5⤵PID:444
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kvprinter\kvpvbsext.dll",_X86ScriptHostEntry VBScript E7C8E26D56944AA2886625ACB951F360 1 Install /_X64Cast5⤵PID:868
-
-
C:\Windows\system32\spool\DRIVERS\x64\3\kvpet.exeC:\Windows\system32\spool\DRIVERS\x64\3\kvpet.exe pdf_virtualprinter_install 0x424, 0x685⤵PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\\office6\ksomisc.exe" -defragment4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3704
-
-
-
C:\ProgramData\kingsoft\20250328_152805\oem_static.exe"C:\ProgramData\kingsoft\20250328_152805\oem_static.exe"3⤵PID:4256
-
-
-
C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe"C:\ProgramData\kingsoft\20250328_152805\WPS_Setup.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E57AC9B -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setlng zh_CN3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4532
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -fixoldversionassostatus3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1232
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setservers3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5596
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -register3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3880
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regprogid true3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assowordexcelpowerpnt 1 1 1 -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:712
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -compatiblemso -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\openwith.exe"C:\Windows\SysWOW64\openwith.exe"4⤵
- System Location Discovery: System Language Discovery
PID:400
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -checkcompatiblemso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -saveas_mso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -distsrc 12012.20193⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5348
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -sendinstalldyn 53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -updatetaskbarpin 2097152 -forceperusermode3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\pinTaskbar.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\pinTaskbar.exe" "C:\Users\Admin\AppData\Local\Temp\Kingsoft\WPS Office.lnk" 53864⤵
- Executes dropped EXE
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addcontextmenushellnew3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regvascontextmenushellnew3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regkwpsshellext admin3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3380 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kwpsshellext64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\kwpsshellext64.dll"5⤵PID:5112
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" /from:setup3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -collectfileassoinfo -module=1;2;4;8 -daily -source=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6128
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\wtoolex\wpsupdate.exe" -createtask3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kdesktopshellext\kdesktopshellext64.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\system32\regsvr32.exe/s /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kdesktopshellext\kdesktopshellext64.dll"4⤵PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regyunpanfornew -forceperusermode3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4604 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\system32\regsvr32.exe/s /u /n /i:user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:1720
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u /n /i:overlayicon "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\system32\regsvr32.exe/s /u /n /i:overlayicon "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:6076
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u /n /i:contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\system32\regsvr32.exe/s /u /n /i:contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:5892
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\system32\regsvr32.exe/s /u /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:1848
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regqingdriveshellext_install -forceperusermode3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*install "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\system32\regsvr32.exe/s /n /i:qingdriveshellext*install "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:1236
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*thumbnail "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵PID:3472
-
C:\Windows\system32\regsvr32.exe/s /n /i:qingdriveshellext*thumbnail "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:2768
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*drivebho "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:5796 -
C:\Windows\system32\regsvr32.exe/s /n /i:qingdriveshellext*drivebho "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵
- Installs/modifies Browser Helper Object
PID:1656
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵PID:2228
-
C:\Windows\system32\regsvr32.exe/s /n /i:qingdriveshellext*contextmenu "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵
- Modifies system executable filetype association
PID:664
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Windows\system32\regsvr32.exe/s /n /i:nsemenu*user "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:5600
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:qingdriveshellext*onlinefile "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"4⤵
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\system32\regsvr32.exe/s /n /i:qingdriveshellext*onlinefile "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\qingnse64.dll"5⤵PID:2104
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -setup_assopdf -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assofdf -source=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:660
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createsubmodulelink desktop prometheus3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5580
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createsubmodulelink startmenu prometheus3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /createlink /install3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assoofd -source=13⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:5600
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -assoopg -source=13⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:5508
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regcadfileasso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:5244
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regarchivefileasso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:4472
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -installbrowserextensionhost3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:4824
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regvideoeditsetupfileasso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:3880
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regemmxfileasso3⤵
- Blocklisted process makes network request
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:868
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -regeddxfileasso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:4456
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -repair3rdlink3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:780
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -createexternstartmenu "WPS Office"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:2840
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -rebuildicon3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:6084
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\ksomisc.exe" -addJsapiCert3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:1488
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe" /prometheus /from=autostart_after_install3⤵
- Unexpected DNS network traffic destination
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3448 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /qingbangong /start_from=qingipc /qingbangong /start_from=kstartpage silentautologin4⤵
- Unexpected DNS network traffic destination
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:4260 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /messagepush /PushType=mipush /From=Qing5⤵PID:5104
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /messagepush /PushType=mipush /From=Qing6⤵PID:5960
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /krecentfile /init /From=Qing5⤵PID:540
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /krecentfile /init /From=Qing6⤵PID:440
-
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=zh-CN --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --mojo-platform-channel-handle=3588 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:24⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\promecefpluginhost.exe"C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=zh-CN --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --mojo-platform-channel-handle=3988 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:84⤵PID:4556
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3448 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --js-flags=--expose-gc --lang=zh-CN --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4648 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:14⤵PID:708
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPSOFF~1\1210~1.189\office6\wps.exe" Run /AppUserModelID=Kingsoft.Office.cefhomepage -Entry=CefRenderEntryPoint -EncodePathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -EncodePath QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGtzb2pzY29yZS5kbGw= -CefPluginPathU8=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -CefPluginPath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xjZWY= -JSCefServicePath=QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxLaW5nc29mdFxXUFMgT2ZmaWNlXDEyLjEuMC4xODkxMlxvZmZpY2U2XGFkZG9uc1xrY2VmXGpzY2Vmc2VydmljZS5kbGw= -CefParentID=3448 "C:/Users/Admin/AppData/Local/Kingsoft/WPS Office/12.1.0.18912/office6\promecefpluginhost.exe" --type=renderer --log-severity=disable --disable-pdf-extension --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\debug.log" --js-flags=--expose-gc --lang=zh-CN --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=4656 --field-trial-handle=3656,i,17518755134312184789,10966189837041705819,131072 --disable-features=TSFImeSupport /prefetch:14⤵PID:2444
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /checkasso2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\photolaunch.exe" /photo /checkasso3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:488 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /wpscloudlaunch /run_plugin /plugin_name=kfileassociate /plugin_type=dll /plugin_entry=EntryPoint /action=regassocall /src=auto4⤵
- Executes dropped EXE
PID:3848 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wpscloudsvr.exe" /wpscloudlaunch /run_plugin /plugin_name=kfileassociate /plugin_type=dll /plugin_entry=EntryPoint /action=regassocall /src=auto5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" Run addons/kpluginwrapper/kpluginwrapper.dll run_plugin -plugin_name=kmessagepushcenter -dll_name=kmessagepushcenter silentreg4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe"C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\wps.exe" Run addons/kpluginwrapper/kpluginwrapper.dll run_plugin -plugin_name=kmessagepushcenter -dll_name=kmessagepushcenter silentreg5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fcabcea14f78b332e4abdeed9cd18d2e
SHA1ee11337ae6cbb169ac9617ea43a564334d0ebe55
SHA25640f6eccdfe1de78f5ef4f803ebb4f4d47e7cb6619d48eea6242197768be4a58b
SHA512abc881835fc61dc0f11b5acb8cd6d34215ca2365eb937040e757d93b6b8cc59aae375b160e55a3bdddbcfbe995c881cb4420f61fbe716dcfb3f34825611b43d9
-
Filesize
81KB
MD52f2e967a23a459de0f9ec166eedeb9f2
SHA120198b7f783fa0fec5931d7cfaaf7eccf0834ee1
SHA256b3058bec266f4310750d6ccd60fe0aa70e6ab7b2a998a10e14bf98606561044f
SHA512343745a31bcc78817e0fe6a27d0308cd7eb8c422acfcf8c676f2c1431b94092a2575f36993197440ebeda53bcd8a5f67b778fb1f0ffa4e84ccae732b2b3b8e31
-
Filesize
1.1MB
MD5597cf6fa94b9d03b72874dc22a840990
SHA148f7599074147cf06a0082227902496dfad9691b
SHA256665526fb362589d409da4a0da90cf19fccfbe26e8ce6e3b393ea0a10ec911035
SHA512c86b51853897bea67d696152e519b420fd91a67cd32d50a0763f8b752d68f87bd9e6af02f33b3b93ae8f90199ea41982cff780544c6118adbeea61e3e9ff2e43
-
Filesize
170KB
MD5928df087cecfde22330a8c3813091c25
SHA1dcda6ba1d5583a22eb2cd03eb7cb2ccc35697c2f
SHA25646f3ef62fc1aa886283552c051613df9395f426c513ae700ac069fcbf6629188
SHA51298747014979b913e2cc4767759d971f29f93eff89d3c26d4d68022619a51be2d37823acd036d0a7eeefd03db532139b9158f39529fafdf03afaef4485a8c4f82
-
Filesize
171B
MD5b30cb271e143eace0f55ea2e562e1e9f
SHA19d97dbf24931cfc114384c3f4dbbae21c9e51be5
SHA2563ab7bb6175885fc6acbf5eed0062b0d00c059cb4c68bd2ef90149b2c8763e658
SHA512dc593185fa63b458024c3a913c558e5686806154181dea67eec786ada50595c53bab822833ad1e76c9acdf21be3eba50631391b7e575d7f1f6409ceccf966535
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kskincenter\ksolaunch\normal\logo-small.png
Filesize6KB
MD58d650fe389e3665607fdbf938c1a1722
SHA12e545f9555ff22313e4ce113995d8aa694e5cab8
SHA2568bad76a7433cf4662c38a539c2429336d65feeeef1bb5c6435928a9574b216f8
SHA512f116621bfecb602d02919eb1ee9d7dc92e82b313b8b54cda42ab48c5e7ec60b02005edcad763fff6b497ca4bc46e83cb0c9a249be791f245bb9c599950fdf015
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\kskincenter\ksolaunch\normal\logo.png
Filesize12KB
MD5d58510dca6b659c6e4ba7a454d5b75ce
SHA1e142de2dda3811a2e8bbbb2eb64d366e8eb9ea3c
SHA256ddfd8c3e15c7a4667e369546fd8be6e7dd24be632acba2692ffbfc4272eb6518
SHA51242409f9976ad08ecf1756d1c2915f3ffd17cdc78e9ff552c0a08bdfa2fda8960e408721bfc9de1a5ed9c9aca3e23b97adb721b3c51b6b3f0ed3ee4a4c780cf88
-
Filesize
226B
MD5abc3a6089b0ea76ffc960fbc9b6e66d1
SHA150ad0cb201c13799024de56cf45116cf65ff5569
SHA256c2fcf4d5d04350a76c4ce6b06db287d9e9c63b0f886fae500ac27b0627d38cc9
SHA512ec1e32b7bed882095b23e049a4e1a86acf0bf993e2f691105ffbd99d93ebf28faad4fbdd645ac1eefa74ede575854a3994c7c6d2bacc6f7a09a1991561b1a44b
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\qing\mui\zh_CN\res\qingaccount\ferrPage_timeout.html
Filesize7KB
MD59b7a36d32ed674b3cb4d247d17b71794
SHA1e756cff87d95360675b56b9ee4e2dd71bb96a852
SHA256eb5dc549d839abd9dd7fb725629198959c7e5b0322454cf3c3bac89c57f53ca9
SHA51297520f64605b0f2690a03b1bf42eaae8b3d4b10c0925081ac250ed6bdba190d16368fafa0ec11783dd21177becc4d945acfbb327fdab32ff6350dc3155f58721
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\wpsbox\mui\default\html\syncassistant\favicon.ico
Filesize4KB
MD51ba2ae710d927f13d483fd5d1e548c9b
SHA1c0605efed936ee2600284e6480521d06fa64f872
SHA256db74ab0b78338c1f778f8398c45f4103c99aea0e845a3118a7750b4eeafd3445
SHA512f933cd352eaba92f509b3863353ddfefadfada26a4152ecdc4727d450bbf35e7b10fb3038fe8db340d5c63d74e608c1560ec84d0f6ffc8ccd940c9e0d7533544
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\folderselector\dist\static\fonts\element-icons.ttf
Filesize54KB
MD5732389ded34cb9c52dd88271f1345af9
SHA18058fc55ef8432832d0b3033680c73702562de0f
SHA256a30f5b3ba6a48822eae041e0ca5412a289125e4ba661d047dae565ac43b4a6b2
SHA512e8971ae48f5287d252f5b0a2d0516091bef0d2febf7d01fd7b435e426d106fea251037439ec42c2937e934b66f38e5eb43d00a213cdf334f482f4a06b1817f9c
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\css\app.css
Filesize107KB
MD56c8e8b5a40bcaa65db2e23600ba58515
SHA1ed5f39576a2ee624a187a8ff09b7ad9f9bf5e1f8
SHA2569db4c6bc8ce25c712d19d676f2157e0fc401bdef21111e27317f89beb610b9ae
SHA51261aa411e3aa8f889bef7b89e0bdd154ad81872ce48fc8655687fc6ebec3e22e2d8ff641be26787a6ea714c8ac2c257fff5b064ffd7cc41e573d9a7beeaeeb472
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\css\chunk-vendors.css
Filesize279KB
MD5a3964e72421a1ef5fb60c6e17eb5d705
SHA15dd9584be5141e884a230c48746e1c88126b0a55
SHA25664a207f1e9e24bd26d83e1397dfb94a155b46e0589ba5f002f1557072f3c21db
SHA5124ce4119b7407b460969041809354c4ede587047ee643f2897eb0ecb9627608431f43fed27c54c70bacff3a6694eb32a85b535c7d6397ac22d7d28e260b0a5467
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\js\app.js
Filesize369KB
MD56ea825d75755278734ffd07e89867e6f
SHA1bbfb8d7b5a35d697681802e9360eae6291e44d8c
SHA256f1735c87cd85eab083c09f1b14806e09caea6c658eed0bcc1bbf18703563774a
SHA5120dcb7003d43696287283e3eafe9cca82a9201c020e33a6f6cad0731a98270b39add4e7f24ddbc2eb4e2fbb740233bf40a986f6ec2b34ba10ddff0a26d18f934a
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\addons\yunbox\mui\default\html\syncfolder\static\js\chunk-vendors.js
Filesize425KB
MD581e2ef7adf3c6e9d46cad32276781716
SHA140c5689f4131ddb609f6dc31b4220fb3413f1636
SHA2561c877f69fa5fa07362ed4c0c7e6eeccde6afd4d67da9d38058cdc81809524e40
SHA512caa109ef1a804c6d9a4e9325602bfea6753260097b6a457b7dd0abd8dc4be85bc3454378ccaec966d215fd3f4bd08375e8ce3d893e9984477da360b944f3233a
-
Filesize
434B
MD591027e04a38e7386430ee7373ca494a6
SHA1713030a07795edd4a483e10c17b0be4d1443ec25
SHA256ff95eea5ee0acf780edf3d40d36e366a56d1208e210b1d1aab3f8405086c096f
SHA5124f4b256002c469b83c1ef505cb29cc22bc4ae2bf6da9ebd8fe5d904df0e8227d8ce033ea37eeea5129b997d2d7e6e4e5ed5f43f339e5bd30548092d663d1c677
-
Filesize
177KB
MD56b7f68bd5266066a6569f15bbf1cb69e
SHA1c7a22e1be947551f7b0f2d308c9f75b1ce34c08e
SHA256b6795557aaf6aee42c715515c73e0a014b6ea39175fd23891c8d9b84c8600fc4
SHA5124a26e7927f3f6dd156ade32371ffe9434abd3922dc50bd3e0e45598ac0c6f802cac69d04bfe56d91417f1afabe565fbe6202712825eef2f75daa0cdff0f61bd1
-
Filesize
1.1MB
MD5339da30bbe05f7d0ee0b000c88c76fd9
SHA10c5a608fc342f8645008d6821ee0d2959247fec2
SHA256ba7dfb36ad9f9657340b9814c4ea44a3e2247565d73751fd3e433b1049ffc11b
SHA512cb0438d746de953a31a4baaa06b8069624a10b18eacddd5013586cf9d9477dca36f3e3468abd748fb8a836b9b0c0a93784c4865c617d87caa9162d785d03f621
-
Filesize
23.1MB
MD5ab5af1e05f6409e81950cd9e83d4a222
SHA113dd78eb2120e9ddf4220fc460126cee8f5edb3f
SHA25681fa80695baac177b6caac998b35088ffb829e159e19dffa24d9366ee33c1961
SHA5128223a102a7ba2205e0216d2484dd677ad88cf9a087560ed7cb64f785929fd6786aeec2ce59ddc052b7f9934af20f9216279b42a242cc34683e6a17bc82c64bf6
-
Filesize
24.8MB
MD5eefff9b8a4b745af6c3e340dfce18164
SHA1f21265e578dec02fc1b420370faf44be81550031
SHA25658700f755a8174054ad8a0984b77f3bbc34c72c3d4409f7fe41172a8a21e3250
SHA5120c4b0c98f8a9c11f3e2560a0ef99ffb8ae4a6ed6df96dd8bf2e9fefb033361cf9110fb01e97031904c5c98cacc60740ba1a00bba63c33f8cacec4498b9031980
-
Filesize
10.0MB
MD58bf61dce1196d5733871e2f2becfe7d1
SHA18d0579aa417f9fa580c1b8f57d6d1314f18eb967
SHA256f4cea14ea1545929415d91647c71794f6538a274ba027ff58b56d143f9734937
SHA51217b366c1d7143442a1239402f75968bec894822a102ab309eb8b261eea2f7ccd9e7de306f600355e82f0198e13a00bc4059c778234e2ced91c4d34bc34499534
-
Filesize
3.1MB
MD57cabafcec3b852222a2461a8d289d4b5
SHA18adee50735a967635bb75d82a7af01dc94b6e1b4
SHA2567a561952cf8c3f6a338da6bc65184c6e807553aba5e3101023f59abc8ef0d3ce
SHA5121580bbacf49ca435941456f435d696bcb6d756b6156b33cffa084b921dead672027bfb81bef57fea45ddcf0d3a604be9227c054d892fadfeb74ab7f402608097
-
Filesize
1.9MB
MD5949fa352b0afab7b8843fe52dec03829
SHA18e01db3e2f9b19650eb44a1005a019950254e743
SHA256acd5454e2ba5c9b20a8b89f4fcdc249aa848128d1f4ff0c5520566c044bd8518
SHA5124b6086714157dc64fb37cebd413a907371f4e227ce91fa64f1c5db8c0f0067d8ed541ccd116b095439553d0399c88054c08fc5e1cde1ab060c2a06eb15e8a63e
-
Filesize
353KB
MD589497d9b3dea9f5a88c210ba64c371ac
SHA19aee01a76b4a82315f96a455862396307199e03f
SHA2567be0fe53389f96e4d5647b061da7a2e0f518ad621bc0ebe94978823224e74662
SHA5126e0662e1c8f278183b7f40d888adf03b5c6fdf5cc4a3c236a37c520b0682c66646c1020a1424c478169ea1bc335ae5b1cd69ad633a5ecd92d234d90b448b203a
-
Filesize
519KB
MD5a1f7be2df27b5df7b4c5ee5a9ca793cb
SHA1ddcce48683694db501b26ed0c143c8d14abb6e66
SHA2565e7b5d18430429bb83cc81567d19c1e4567bf1e329b73e41f4f1406e7d950e8d
SHA5120e4696a949b2c04dd31a371e6a65cff00833c1a5671e1017b0f334b92c094387e12fb427cec13701822c7f8ce9f4ca2529839d838fabaab308ba9b265142d26b
-
C:\Users\Admin\AppData\Local\Kingsoft\WPS Office\12.1.0.18912\office6\mui\zh_CN\templates\Wpp Default Object\Preset Slide Layout\wideLayout\presetLayout_16.pptx
Filesize45KB
MD517ea9186a351ccf5bb9e8608077f40a4
SHA1713a1fa1031245c639080b5708f2c40abaa41f4e
SHA2560d83ba0a38951b5e06fd13020514c96bdb11688e7739b713b1d7a70ce4251101
SHA512af8f4c5d3a45038fe6bd8ac8632de5a21af9324d8f4be6cab8a2dc03fd3f38747983c7720798ce8e4ca1234cf8b13cb7d475de3446ce08f4f6e76af0ab64a40f
-
Filesize
904KB
MD5c5768ab883d310b72e3796d334a16269
SHA19b0c3e2f83c66112501b82b751498d74bcca8e2d
SHA2566d1cafd178007a0da59710a5c68a77eec389c00855e6e8b558facd4322d51c50
SHA5120611e9dce683c69fd4080aed2e29956f84ee2731809b22424522b65a2a559b24e3d454c4a992b39980310b77a0357f2487066929828aaa09c3ced5e49d7db7b1
-
Filesize
499B
MD5ff7f70f866e51eafa34e1a6e2c01a036
SHA1229dc211f6bf582a23e4b87dbf391fcccd618637
SHA256ec54e0b3d965e50566dd1b8fbfa85fe34c290a0fa535f01d4e750df48473a713
SHA51261b485f3da9d0cae630f977e61a020cb232b51d47fa9cc5edca4aefcfe7179be724b9205c4a531f3947e64455aa8b47c5be255853628b4ebc7fa99a837f48103
-
Filesize
625B
MD52f821a348ad9833467a457c149634e32
SHA19e8f2e87c0159bf02e512fdb6476f427810f012f
SHA25633252dca03283a5e492b3a6cb3b54c02528ec79c508db297eeee0a8811421ec6
SHA512071dcb9844d2a4e7b18245e42db461944da354b4dde0ed2f9fd1fafcdd3d10e5e658045495168a0fa83c0dfe5ca8791208cc72d583571d1630cdfd4e5f04b5ce
-
Filesize
2KB
MD57cb0d32f24aff45146668f7d610ef039
SHA18fc84c14e89f38fc748b1e6656e80d879590863d
SHA256788396da64013cec4c9afd2ccb7971a82cd45ef4d002c460d910b4523a19a9a3
SHA5124036d66324a5b378518b9089a52e8682ffd175dee9c2d51a2f13b02fad0ced8c4ae2104a7c0de419e02bc9c7a16a41366b4dd40dfc02c9b1d82deabcedff7c79
-
Filesize
13KB
MD528c87a09fdb49060aa4ab558a2832109
SHA19213a24964cd479eac91d01ad54190f9c11d0c75
SHA256933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
192KB
MD5500318167948bdd3ad42a40721e1a72b
SHA124134691693e6d78d6eb0a0c64833c12a0090968
SHA256d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA5120a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863
-
Filesize
10KB
MD5b74d06f62cd28683b35052715273f70f
SHA128f0ff95c64faa31eafdc4e5e95cd7dbeb54ca22
SHA256144eb756de343fcb063034e9708cded52fe7f83ac3c94244a8de9baf95fe954a
SHA512fd20a4342d365396c950b7a1c1b9672b4151fc1097af3abff6af9e0723f8bfb0628ac8cf3cdbae466fcb78ad5520ce5ef7a76d76a86f889dfa98b9a4d2fc032d
-
Filesize
5.0MB
MD578fe966f7cf2fba8b747edbad9946d13
SHA1184c29513bfa6b32d4156162d6bda507fbe9fbff
SHA256915d10d462955a7d518f89cc745df971584603e43a360d8f51ac56ee2d2fb365
SHA512ed0f1f365d719e69fc1e04c40606ec09b706ba346491a21321062714865547f9103cac379a4cf2c9b2dc378ea0510d1e4cbea17d17c715e1dff6b9293583ad01
-
Filesize
5.3MB
MD5a35e999396ed122f3e0233440fab996f
SHA1a1802754a81d8c6bb69dbcec27b38d212d796f14
SHA256c972489efff452a167cfc91f5f38df2097607a3f4c040ed16b6e048c74e8cb29
SHA5120561c1975deda555610621c407637380dcde9219798e118676fa090e4f23aa5988383c548f96851d8262ad0f9b1a0421bb19c87e0821adcef6e3e3f63401e4b9
-
Filesize
392KB
MD5e3f21b8fff7a1352cb346b5197a02bf8
SHA10fd021bf2a1710edce1041d6a64c6553224d6409
SHA2563305d301ea5e30574bc572ce500e97993a691dc74d476032ef34267bc4828447
SHA512851b33d649c3e7a41d2c3cf550801f458f349ec7407eefabd2d7490d0e06a4ea55202f457987bc9e2f34f963de8640e705884f3e79fb42809172df819a0cd7c5
-
Filesize
4.5MB
MD51e8239fc7fc5fadc4282a6fccea81a96
SHA163d4d12344b3590c2c91b7a82438ffebb8adbef6
SHA25617fc9f28b4bf41f4b66bfbfe5b1546b50425b573ab448fdfeb6694d55e02129c
SHA5124e6e9ef83197ca8f9f1b54baaa5662a5b45f4401068522b25bc6a0bc2ce5535b4187736fe99a0254a8d4e51e329348d77de818fcfa07f89f4ae6d97d9cacd2ac
-
Filesize
217KB
MD57b828f73ad6cf42453bb51beb6986bdf
SHA1e59fc400ea2788dd7706abc3ca642b6eb57f9c04
SHA2565c61dd388ed746ea4b00c885e7f2bd5bbec5d2fc76733d7c264e4e6937cffe52
SHA512de8292e41930165df87ba1556724980369c9f74932f48157b5007da313000d3aa5744f8025d8c7ba90f060b9fb99b9915613e2481fd928d1b2d495c399202011
-
Filesize
11KB
MD5b951011ba021c374455e8d1e18af84d2
SHA12d2e5e097ba5d92e6977cbb23afcc60b2e1d1c8c
SHA2561c057286bdf0cb90f7dd1fecf5e8afbcff1e27f2a94612967c0634ae639ca43d
SHA512bc7007ea97647b53a62561c7eafdc292478e2d1dd9cad9f84a3641eba5a57184274fd992f08a18c7f9afa82d5c37a15b6058f147e88623d5d0f5b962931b3850
-
Filesize
11KB
MD5c26d7d913fd245afc0f0d658595447dc
SHA1b5e00a0516b6c8c6f6a51ea40fae1beba3dd49ba
SHA25673e4264dd66696163fbbf868729841f2e9b86f5a59912e64fb9718a8c889a7aa
SHA512f7e22751671ef8f5d9768cb96733377cd5f38cdf241503234f69c4c6ac9348416c1a7622d7008fc1323a8673359db9e0bef29a4fec7853c5b5fe0b94e294471a
-
Filesize
10KB
MD57435c7831c7b3b47e55701e5c6cca67a
SHA18e0fcc170f5d66beea796b38cd544a045375204b
SHA2567ea1c2902a47fcd4a30180a4fe5ba5800fcad76b63da5ca4494e24954cea9bd3
SHA512453fde0df6bf8867dac38e1dd155300a4fb3ab88a20de3420f14ce2c05d890459b767671b23d21422c49ff1aebb9ea84b47bee0e2b2305a7af1314393de28267
-
Filesize
10KB
MD5d05f970cf2bdb0da0a1bf33cbc36b53d
SHA1505b7e21e237d7f8c454bdfb37b19932ae6980d3
SHA256273516d86d92975ba14f0f85bdce5b81f75f8ba76e08e33575c67f34d7236775
SHA51262b843ea200fee7868482de417048458c304a218ccacf44b70e0026bafc5e37aec4e7ad2c93513cfdbaa06e5ced7a826fa4701d27d6fb9eb81f183335fa182d0
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize10KB
MD5801750157960c928af876c3ec8dd4651
SHA11cb405eb7339ef121df51f5eba44e0b0177a76d3
SHA256be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd
SHA51270d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0
-
Filesize
14KB
MD57f3c75a78482e1ea21cdd81055b3135f
SHA1e0fa94d72626531aa971c3f1385f03ded6bde6a0
SHA25650347ffd660720cb1f41691be2793d00b169c864f7260dba1966a8ce5c9da943
SHA512925ee75ea5261de55d50e0c72de891833e20975b06cf9a1712385c077fef4548639d629354969cc8d18bc7664b6b3e03ffd11d08965e2fc94b3a11d3de6cf839
-
Filesize
11KB
MD5cd3cec3d65ae62fdf044f720245f29c0
SHA1c4643779a0f0f377323503f2db8d2e4d74c738ca
SHA256676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141
SHA512aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f
-
Filesize
10KB
MD5b181124928d8eb7b6caa0c2c759155cb
SHA11aadbbd43eff2df7bab51c6f3bda2eb2623b281a
SHA25624ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77
SHA5122a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f
-
Filesize
10KB
MD5d65ef6902015757c4b5e2b550c233e1d
SHA18b3a44beceb81727071337a9c9e7d0f3b1370455
SHA2569f2c87a8f541fd2e563778208c51f1e1852d4874571b6c5218066c0d58f9539c
SHA51201dc60cf2d8f902848a4234cb97b12329d813f836786407ee090083a9fa6750df7f6b4db6d3496a873fc352bba4edf109ea6d5811d124075d8f3d21008c96773
-
Filesize
11KB
MD58af9779906d36b71166a1e286c880d0d
SHA1deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3
SHA2562e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247
SHA512c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll
Filesize11KB
MD52f68cbb35c4c8e66c7d1a8b6c2079700
SHA12acb3bdfb7209323d586866e276e152d540d5ae3
SHA25696509b560bc604a30af26e08d6181d24dde1d51bf3654a12cd663a4ba1a11eac
SHA512d5886e85abb2b2b4dd0d632e56d7f056f58374b774769bc83dc84f734827fc87b91d85f609f6faae3e3c10703716b31d775ca7f5819a1f719a355a154a8cc1ec
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize11KB
MD557a0a074d52e17ce0fec69b4106bceb4
SHA1f6fbe3fe91884d3aa19ce93156423da55bdd6ced
SHA256f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834
SHA5128878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
Filesize13KB
MD521519f4d5f1fea53532a0b152910ef8b
SHA17833ac2c20263c8be42f67151f9234eb8e4a5515
SHA2565fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1
SHA51297211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417
-
Filesize
11KB
MD5ed6d551457d8a41b48bf017b79765e27
SHA1fa1609389caea2192f37017a23ec66e0c7f21d65
SHA2567733252eb66a1f3ce0efc5c375fadd6fa20a596324658c72d4e707f67909a433
SHA512a0fb6d1420c9a74266c368f246af06c173379c78f0ac6eb676aa95f5c41e9b12f52fc32ec79c89d1cf4ea67c0a8d092d0ca3caba651188598a52b1a2ff2f4c69
-
Filesize
10KB
MD5d8873df4158c5d449f13fd32442f10f5
SHA152c9bf4137e466124eab9aa639671795d05125f1
SHA25604532aed545a391a9e95d6103a816ec5d26df14af51f51dd0c649ddd57862e5c
SHA512e52876ca557755f50bdd3f9adf124a6a562798a725480238f747348c9f81539903f8a19eeb00a61e50f5fde6e7acc8e613b4ba94cc0d8facc2a91f98078997d3
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize11KB
MD50a34f6f91287218a1d451999957701b3
SHA105727b747b29845e025d2efde0e43ee36927439e
SHA256ed755e302cc2a9f5d3cc38140a90697c6bb24965acc6cdaddb63e95c3d2cb9bd
SHA51224d69f006cdfb91182e3cf9d917dad90353c5824cb19a00a9c4dc9feff0a279a32750a83774a5fe4f5e863386e23efb96a0b54a82c551f28822c6df410eebed8
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll
Filesize13KB
MD545578c4fafc6d9d5ab6e78a07827c19e
SHA12fdf383c24a697a0cc29231dab4d0a77207a29f1
SHA2566d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779
SHA51263ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-processthreads-l1-1-1.dll
Filesize11KB
MD5b5c8334a10b191031769d5de01df9459
SHA183a8fcc777c7e8c42fa4c59ee627baf6cbed1969
SHA2566c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d
SHA51259e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39
-
Filesize
10KB
MD51672a33674cbaf42b3eec20d52930bd9
SHA1f6e3da76e7de8a0d5f2e254b080ba973c92ba817
SHA256a99b485112b305623ec3c8ea0d4c9acfac0c5c66821d4a98cde7b43edb8b78fc
SHA5127b405243d474706c192e3e3b67ff61412adf41ea3bbbdcd5281aab2e7bed01c0c83a09fe60c0a0274d176a3aeb54dc0406dd044e002b8a447503c6dceb34d237
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize10KB
MD583cad14da9e92a8baf84a9afe2c9a5b0
SHA114c89f2ade657eb9249b95f9290fb4284908c9c6
SHA256a45a7143971e7f8bbe4d5667927e3ba0fe5d0c025ef5d776ff8a5826341a99cf
SHA512a5e93d77555e65bff5d47b2d6e9f7668cc6353a815cb1b11eaa6910594d53a9a2a538b8fe6b89cc2589f0dee321215039c012637809fc513b39fb902c02fdb4d
-
Filesize
10KB
MD5990cba52bd41c096c79778188dd63a15
SHA14a902cf7e4500c736ab4830e762cc1e18bb224ec
SHA2560c1cbbb4630d38632ed6a5bae9ba7e06fe19433f2a5bd548f3d73f315359d79e
SHA5121ed847989d02ef2c57edbd4726d818ea4bd811a255873765dd6090b9f8b204dff3610e887979ff8016c9b40bdcd2eab39ed064bb0f5f4447a94d56ab24e5183e
-
Filesize
12KB
MD569e1eddc7cd991f9f5db2fc6fdb6f46e
SHA16e8a961767f5ac308d569fd57e84b56b145c6c53
SHA256cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070
SHA51261935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f
-
Filesize
11KB
MD5eb6f7af7eed6aa9ab03495b62fd3563f
SHA15a60eebe67ed90f3171970f8339e1404ca1bb311
SHA256148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02
SHA512a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875
-
Filesize
11KB
MD5d4359815e2a7f10b4dd3ec3945eed45a
SHA14c83bd868c963c3afa29d92f75d185ad612c9b11
SHA256328dff5738e59b78e2951920efcc69e97548c8081f4714540b4e723443b8feb4
SHA51209ac1040e0a9edd8562c4b76430c82cc25ca94634a9c632803d8bc8eec6ac34d9ad5fb6509416bcd970accb6dce27730bcfeb1ce29d0920c84cc2daf5102d627
-
Filesize
11KB
MD586421619dad87870e5f3cc0beb1f7963
SHA12f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2
SHA25664eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab
SHA512dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31
-
Filesize
10KB
MD5e0727785f827d39eb167749227a316ed
SHA1c063a309aeff016f0a7d728c44fe169ce6da12c5
SHA256e4e4e55abf599d1a9ef7b95da0d7fd37f23a6cf1d368a77f88390eb2e0c1340d
SHA51283c2bc0f3049b619bf39a8cd6b5fa1ee1346ada2075e7495f264360a62f6fe7ddaafb382b60dfc18857c981c584c750a0b07c1d5d81410a80c296fa1b276ad0b
-
Filesize
11KB
MD5a76584c4923b1be911d9ece4ea439116
SHA1e025b0afc3b9a8046f83e5df718bac4ad05c9c2c
SHA2563181c520d7ab831c8ff330afe15ad717a5a1ed85b5d91b50b838be1e5c96d052
SHA5129e701066b81979318f41ac54ef4e1faf7a5e4cfa7482e61a60717fde10bba0851bf86f446f53a8bb26a1df95405cba0969648435fff3368bf9c2fec9ffc333be
-
Filesize
14KB
MD588f89d0f2bd5748ed1af75889e715e6a
SHA18ada489b9ff33530a3fb7161cc07b5b11dfb8909
SHA25602c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc
SHA5121f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
Filesize11KB
MD50979785e3ef8137cdd47c797adcb96e3
SHA14051c6eb37a4c0dba47b58301e63df76bff347dd
SHA256d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257
SHA512e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d
-
Filesize
12KB
MD5a1b6cebd3d7a8b25b9a9cbc18d03a00c
SHA15516de099c49e0e6d1224286c3dc9b4d7985e913
SHA256162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362
SHA512a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7
-
Filesize
11KB
MD5a6a9dfb31be2510f6dbfedd476c6d15a
SHA1cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7
SHA256150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c
SHA512b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec
-
Filesize
11KB
MD550b721a0c945abe3edca6bcee2a70c6c
SHA1f35b3157818d4a5af3486b5e2e70bb510ac05eff
SHA256db495c7c4ad2072d09b2d4506b3a50f04487ad8b27d656685ea3fa5d9653a21d
SHA512ef2f6d28d01a5bad7c494851077d52f22a11514548c287e513f4820c23f90020a0032e2da16cc170ae80897ae45fc82bffc9d18afb2ae1a7b1da6eef56240840
-
Filesize
21KB
MD5461d5af3277efb5f000b9df826581b80
SHA1935b00c88c2065f98746e2b4353d4369216f1812
SHA256f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf
SHA512229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600
-
Filesize
18KB
MD5cce453c53f6dac9496bfa5415cc92731
SHA118fee669be0aa8a1839a75a167980f3f246c93a4
SHA25650752719a62627e7a8d2c26970fe59af839692d060c009fd0652325362752659
SHA5122cfe07c602c2e6205a2a2aa0de4ca8e105c9973d14b9d131a6372ba54697d17af7c84c898329425a3d19fd6c1434bcaf162ca0dbc5f0d20cb5973c63aee6b23a
-
Filesize
64KB
MD51f72bfe2fb7bb2a403efda6ee963d259
SHA1bcfb984771542970488bd6132dfa2746267b7fbc
SHA256601ccd84d252fc6e024b1319902e48cf98bb922bf7799384a85640d5ce6f4a16
SHA512e47c4c7a939d8e1022b6ce41ca15b1e3e4028f3bb302d1836bbdb3ec8d0c0141dd79ff147e6dc7fe56e09ab65dd15385362ea190d8792173674660a33acd5d61
-
Filesize
11KB
MD5108433c271995786a8289afd611ea28c
SHA1ba58c577311e39ff7e92a6be0dd6b80abfee6edc
SHA2564c058e5b8f83ce395a7004d8c4043735526de01c5764242d4ce4f683dcf1425c
SHA512800bd7a8702905fd9be83f17087440228f1428237d202160a5618aa6cfe1d1aad3c2608f324db38d235348bd2c8682f55d8ff52d13f9c37fa7c32d64a967db77
-
Filesize
15KB
MD54f06da894ea013a5e18b8b84a9836d5a
SHA140cf36e07b738aa8bba58bc5587643326ff412a9
SHA256876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732
SHA5121d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79
-
Filesize
16KB
MD55765103e1f5412c43295bd752ccaea03
SHA16913bf1624599e55680a0292e22c89cab559db81
SHA2568f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4
SHA5125844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0
-
Filesize
17KB
MD5f364190706414020c02cf4d531e0229d
SHA15899230b0d7ad96121c3be0df99235ddd8a47dc6
SHA256a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2
SHA512a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e
-
Filesize
13KB
MD5d0b6a2caec62f5477e4e36b991563041
SHA18396e1e02dace6ae4dde33b3e432a3581bc38f5d
SHA256fd44d833ea40d50981b3151535618eb57b5513ed824a9963251d07abff2baedf
SHA51269bd6df96de99e6ab9c12d8a1024d20a034a7db3e2b62e8be7fdbc838c4e9001d2497b04209e07a5365d00366c794c31ee89b133304e475dde5f92fdb7fcb0bc
-
Filesize
11KB
MD53dfb82541979a23a9deb5fd4dcfb6b22
SHA15da1d02b764917b38fdc34f4b41fb9a599105dd9
SHA2560cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb
SHA512f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82
-
Filesize
238KB
MD54cc02ba9d10b18be0a02e3555aa78a98
SHA1d1f63d5aa58b0b7ea1925dd3447861b3faf8cd8e
SHA2561cddacbfb0c61652fcd543fef1e72cf649e27f3ee8f0d1c0d3988c0b5093e74e
SHA5129d345573ec7a55aa06414cdd5b23e9085d016f4e9eec10581f93109c12e51603f39b01ce5539f8b1d16086e92b94baba05ebe45e9556c96a6b439c97cb82dc3e
-
Filesize
1.2MB
MD556d017aef6a7c74cd136f2390b8ea6d3
SHA146cc837c64abe4e757e66a24ece56e3f975e9ef6
SHA256900da3e0ea1b4f94773689b41d3f00b28b0fad0f6390da3aec3a9f84a3f85920
SHA5127b5573461693c6125df7ff9040afb6f4fa818a68add9073071a3317767216dd9a6cf25704f3189f3923ead36751fa830e9899eb79f9b6cad3be405262bf53f49
-
Filesize
1.9MB
MD52ab0200912ffa7d8a6c1b68c2e38cd2e
SHA144cad0fa714c9a4ecbe8081382a7c6b033f5c635
SHA2564c7a2886fc4664a97534afc99f3a439a085ac2784660ddfa79dd7b55769a3dcd
SHA512e82523f0f74f2eca9e49456dd3bfc644bd75efb80a8b8e0c90815f41ef6b87720f530e1739768661a83bac7f8c5878f7b45eb684ba7ea2db04b370c4d88b7e58
-
Filesize
427KB
MD5db1e9807b717b91ac6df6262141bd99f
SHA1f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA2565a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3
-
Filesize
61KB
MD5bca06db91a82a5ec364bd16699305a51
SHA14ec7cc816dde8f133f04245042b9ef33d048e668
SHA256a51b9ea43708101a94da0c703d932bca9dbf116ac16ff9a8158b0ed5c594cc75
SHA51217a78b74ad1c10a450004763a39d23e0984cfc5a1443544a2016c655a7aec22c3b0ecdce7c35d6cf9d0f7082f1f2b4b10affcb7cfd474bab49ebf1869fbcf8eb
-
Filesize
41KB
MD5afc29e1baea327510f5922a6c739dc25
SHA121548f69ff63221247d445f14b2d76f3b152d098
SHA256039d1a856bc9ab91242b30de33d58ef031ea519dede44d9f69a94177691f4bb6
SHA512c63e48e1b9388505b21027c5e0ba3cf0933d4007b5b19d90ce48c84253ba569658f94b4c0437b592f4d08900127f86713a12607aa14aff73e3ea59cacda714a5
-
Filesize
1.4MB
MD50daf8bccf091f1b24bbb818099376fa2
SHA13f8dab685aa4965ec8bfd9fd5eee936b603392be
SHA256dcf05308ed15e9845c9b0251fba36f817a5a9a51c5df3fddd98b9d5e49651718
SHA512b773ba98d7e28d4315a3d1f63f4cc35256e4df7694885b4698b9af737026eb7f3041fec22ff4c52a5b8583669af085e356f72f4e7cb1c87b866f4bf92b3fe796
-
Filesize
1.3MB
MD563f417b05fda561286a55247ff9e69c7
SHA155d7ce68b362df5783e64c70bfc5670fcedc26a7
SHA2563a84a253b230fe3e2d957dc19803d51b7c68b062de6a9e5b187900d42d7eb1b9
SHA512094c29702c6085d2af447565c976fcd52497d878a70912fed85b3a41f94c2ffb6bb3085bdd766b10e27443a82066102ff8bf074175b3bc7ee44c7d5eec4ec92f
-
C:\Users\Admin\AppData\Local\Temp\wps\~e57a95f\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize145KB
MD54aac3b6bc8ddf0fb8d0f2b5cdcfff5ad
SHA1e4ac73f45ca6ce08c4e02741a20ff86c7cbb0b07
SHA25678d9cf2832cc261fbcc8467691ad947363b66927788bf3a90fdabb448999bb96
SHA5127befa3bffe3220efff1723574ef14fc8d778754900393b77a0aa207bbc42e39b85d79ff6d6e460541d970a1c98c3dbf26ef00156299ae8d3ad63f57e8bab448d
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
75KB
MD58fdb26199d64ae926509f5606460f573
SHA17d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f
-
Filesize
101KB
MD5f6e9f1463fe638ab89b015d80066f0f0
SHA1420ab30d4ea3a099dfe322a65607943ef2ee80e6
SHA25682e478a56b0af1a925117eff4c55c41b672831a45ab1f18d53fe361c5ddd1707
SHA512a178552396124d037223502e02f25406dffe4b6893c46835f9b606a60adb2324a7bf200511adaf2aba89c04742c3fa4497c1999655f5b94358aa000a5ca3d841
-
Filesize
382B
MD56a5eea749583001de63b993fc66496ba
SHA1fd41691ec4751e85be89917d46454f8533800b4e
SHA256bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA5126a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712
-
Filesize
428B
MD55e1b68b67986b1588301c0135f19fc7c
SHA1957ea47285f7d903cce7530ee34852435de5b5b4
SHA25623456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af
-
Filesize
65KB
MD5557007e25e8135f468079132fbaa673b
SHA137635f4a81c806b56f0a93439ff032cf4bef51cb
SHA2565f8bb106fb375c649d462335e53c95dcb95c046f3acb73b08027690a6a2d45f1
SHA5124a12db74deddadd7973f0c23836ac54695a9aa198d87db489007004346c807e1fd927609ac49143c323f0d7420a657716484d3d30d741ac6bc9b8624dea94fc3
-
Filesize
11KB
MD51befd5e4fbcb72e59fab8a8c1bc8c6da
SHA105122eda3bad0bb5d709bf31f86586a058861df9
SHA256af91437f157d081de183478c519b7a1770ee61cbb7b92643ad5ed2171cc8502b
SHA512b6f4e198a0c0920d0b62e9355ff4f68e2efa9b2ef336c61c5f972986b451d4658a40cdb1b0a7bccdc223dfc32c8b3d87db2fdeb7fdeed641214a96f5003b331f
-
Filesize
3KB
MD52daad98bc389be021ff94fabfa2c6d11
SHA1aea46b3dd52ea6615a56ac8d56f04ef8158a5c82
SHA256721b392c99bb75910787a8672e18c1cd7e1d30b0c54530382e1ddcc02efa1c23
SHA51249e8929adbb32f06876d128302ad5cd40e26f465389e5170aab583a73d9f510ffdb9596bc7aecffe09c1337f3ee88356b2743c06e43a52bddad0b9335bdccc30
-
Filesize
5KB
MD52cb2074e608031cdd6fcc05fe473d460
SHA18ea40250dc209bd74c26b304408fb26f729928a9
SHA256269fd048a2193665ab6f430527b701435457b66b246b7841b6502dcebf45541b
SHA512afbe17632a293cacd7777b74170974063c87dd583425b2681bd695f71f8e86a60199e903bbadab3590cde560c213c4c56c381aa4505f65940ff7c14cd8374237
-
Filesize
7KB
MD5294706f00e2d53fba108df82e867e687
SHA1aaa39ad9726d0531a2f0a617ad628306418837b6
SHA25629db2ce8ff693c9047a14acc5a6ff24939c00a6d8e385a1117c805db368468e3
SHA5126e2e896912556b38dfdadea95975d8b59703fe95957b95eccf9236eda4847e9855877b941aa34ba1dee89aea407ae4e670ecee4f92168474e957c27c7d260982
-
Filesize
8KB
MD536371f489820cd134eaaafef826846dc
SHA1b67c6658c2543e828519c63eb04dc15a7f617dd4
SHA25656da91db8859098fac76d992ab3835ca2648ec9dbff7c3584fc2fc3a5d9c52eb
SHA5121bbe1ca138cc9180c5e0c9e894babe5835add9650db52d338f0c0c4db0c81fbc5fdf3948c46ee9fb4a2478b9b8fdc66e125b9df113fcf55f23e3b65c986eea62
-
Filesize
25KB
MD5d483055cf739a3c9da9c8f09a788ed4a
SHA10e4aa51ea97885d67d4dde0569d0dfbf05a5621c
SHA256acf53ff1eac3159c48c3daa795c2ef77959e35389c7c030c445de76b76188e27
SHA512bdf5a260522a982ea4d0a4e5106d217b60c64fb8171af6173085c1fb4612f134bca01778062e8c805bf903bb480b7aafe0dafda07e6cc27b747ee89d78376102
-
Filesize
48KB
MD569385374da23234e34ad7565c83e65ab
SHA163350cb0369361509161d2702791f4ea70fdab46
SHA2564dbdea3faa239faa2e38007573be6cd6dde81c2424ae595f19047532c81ee073
SHA5128ea78a1b5e9c4878be7fd2638019284e6a3c6dbbcf16b95762edce118ef4ecadbab995b1ee9830d07478148d0365489afe28325c1ac527293ae3f3494edcbd91
-
Filesize
57KB
MD59bb5c9493e8fcf52ca31645241904992
SHA158fe111fb923294bf7315c7151d86f6a31b4ca19
SHA256fbc3e9d76bafec3097320927e23f5d8847adc8a89b1aa1e5d1b4f2039beab02d
SHA512b68fba5a284cd8ff5242813d0d81208b33eef18779659bd33c71e792c2d63957784ca8373ef1e3c2b1bddbdaeb4728127a6b9f5ea14aad487ce755cc9a50c8c5
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat
Filesize64KB
MD559a44e57167a858bf4256544ea4b4af8
SHA1a0ec0b3082535069733cccca0264c3264c2ced3f
SHA256d2681f2de97e7d23adcfd38bdb5673e45343eb80ef843f4b7b89d4ee4f41f830
SHA512c1b05f6a84b0d8cd0d0deb8f34690feb73d67955eceac0bca48aee0cb3b43222b37ba55ef4b146fcf47dfed862cfbecabcb9491a96ef51c2781cd0da8aab90e4
-
C:\Users\Admin\AppData\Roaming\kingsoft\wps\addons\data\win-i386\kconfigcenter\kccsdkdb\kccsdkpriortydb\mdbx.dat
Filesize64KB
MD582877c911e84864408d45da64a6acc5b
SHA1f102ff59885ac2a0ea4a5c533bc0913241dcd873
SHA2569480ce7c78f34ea3f0bf1382902c867080a3087e1e2f62550ae4c1d9c28cdcb2
SHA5120c1dc08bd986e512f34b210f96167da8d2756c9ea4c15ba659df4bd88eb72353a31b64a82904025077e5039259c613af82e2aba57e40a148f22357d22196c229